-
Grant Folder Access
Hi Friedrich,
Our application runs in a number of configurations:
1) Single, stand-alone (installed into one location)
2) Multiple (with a parent/child setup) installations - so parent has data
and programs, each child has programs, but points to same data
3) Multiple users, single program install - so install is on the parent, and
the children all have shortcuts to use this single install
In (2), we want the server to download an update - and install (more
details, but not necessary for this), then the children (once the parent has
completed the install) must run the update install (direct from the parent
location).
I'd like the child installs to run automatically in a UAC environment, so
the first time the install runs at the child, we assume an administrator
runs the install. From there on, the child app will run the install itself
(automatically) to update. I guess I'd use the "Set Access Control" to
accomplish this on a particular Program Files folder, but if you could
recommend the minimum amount of options to allow a non-admin user to run an
update install (which I'm hoping is the same as the master install, only
that the folder will already be created and have the necessary Access
Control settings). I'm thinking: Create Files / Write Data, Delete
Subfolders and Files, Traverse Folder / Execute File. Should I use anything
else?
Thanks
Geoff
-
Re: Grant Folder Access
Geoff,
I think if you run the installed (and updater) as elevated, then no
problem. Running the installed application should always be non-elevated.
--
Russ Eggen
RADFusion International, LLC
-
Re: Grant Folder Access
On 28 Jun 2013 12:13:41 -0400, Geoff Thomson wrote:
> I'd like the child installs to run automatically in a UAC environment, so
> the first time the install runs at the child, we assume an administrator
> runs the install. From there on, the child app will run the install itself
> (automatically) to update. I guess I'd use the "Set Access Control" to
> accomplish this on a particular Program Files folder, but if you could
> recommend the minimum amount of options to allow a non-admin user to run an
> update install (which I'm hoping is the same as the master install, only
> that the folder will already be created and have the necessary Access
> Control settings). I'm thinking: Create Files / Write Data, Delete
> Subfolders and Files, Traverse Folder / Execute File. Should I use anything
> else?
Hi Geoff,
There is no way to install ANY file in to the Program Files folder (or the
Windows folder) unless the installer is running elevated. These are
folders protected by the UAC.
If your non elevated installer tried to write there, Virtualization would
kick in and then your problems are just starting<g>. The same is true of
trying to write to the HKLM Registry node.
User access control has nothing to do with it in this case and would not
help you AFAIK.
The best you could hope for would be that the child installs are elevated
installers and if a non-administrator went to run one (by virtue of being
logged in when your automatic update ran), the would get a prompt for
elevation and could use an "over the shoulder" authentication by an
administrator level account.
But your never going to be able to put any files (program or data) anywhere
under the Program Files directory without Virtualization kicking in.
That is just the way it is from here on out...
Welcome to UAC<g>.
Charles
--
-------------------------------------------------------------------------------------------------------
Charles Edmonds
cjeByteMeSpammers@lansrad.com (remove the "ByteMeSpammers" to email me)
www.clarionproseries.com - ProScan, ProImage, ProPath and other Clarion
developer tools!
www.ezchangelog.com - "Free ChangeLog software to manage your projects!"
www.setupcast.com - "A revolutionary new publishing system for software
developers - enhanced for SetupBuilder users!"
www.pagesnip.com - "Print and Save the Web, just the way you want it!"
www.ezround.com - "Round Corner HTML tables with matching Banners, Buttons
and Forms - Now with PNG support!
www.lansrad.com - "Intelligent Solutions for Universal Problems"
www.fotokiss.com - "World's Best Auction Photo Editor"
-------------------------------------------------------------------------------------------------------
-
Re: Grant Folder Access
Geoff,
I'll upload a demo project soon...
Friedrich
-
5 Attachment(s)
Re: Grant Folder Access
Hi Geoff,
I have developed an "UAC Dirty Trick" project that demonstrates how to set
up an application which can be updated non-elevated. The initial install
requires elevation, all updates can be done non-elevated (even if UAC is
turned on).
Just for the records (but I know you are aware of this): This opens a
security hole the size of... a large security hole, so be careful where you
use this <g>.
My recommendation is to NOT use this "hack". I DO NOT RECOMMEND THIS TRICK
AT ALL <g>. I made this trick available to demonstrate the power of
SetupBuilder V8.
Okay, enough of the warnings...here we go.
Please download the following ZIP file (includes the two .sb8 demo projects
and four ASCII text files):
http://www.lindersoft.com/projects/U...ty_TrickV1.zip
1. UAC_DirtyTrick_Init.sb8
This project "initializes" the non-elevated update method. It's a standard
"requireAdministrator" setup that creates your folders, installs your files,
creates the registry entries, adds the uninstall, etc. And it "manipulates"
the Access Control List for a specific folder under the Program Files (x86)
tree.
This demo project creates "UAC_DirtyTrick" and "UAC_DirtyTrick\SubFolderB"
folders under Program Files. It installs two ASCII text files (FileA.txt
and FileB.txt). The contents of the files stores a test text ('FILEA
Version 1.00' and 'FILEB Version 1.00').
You'll notice that the initial install will display an UAC elevation prompt.
2. UAC_DirtyTrick_Update.sb8
This project "updates" the application. The "UAC Execution Level" is set to
"asInvoker" and runs non-elevated by default. It updates the FileA.txt and
FileB.txt files. The contents of the updated files will be 'FILEA Version
1.10' and 'FILEB Version 1.10'. It will also update the uninstall .log.
You'll notice that the update will NOT display any UAC elevation prompt!
BTW, the uninstall (created at init stage) runs elevated and can remove all
required components.
NOTE: This method does also work in the latest Windows 8.1. But again, it's
not recommended and we (Lindersoft) do not support it!
--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910
--Helping You Build Better Installations
--SetupBuilder "point. click. ship"
--Create Windows 8 ready installations in minutes
--Official Comodo Code Signing and SSL Certificate Partner
-
Re: Grant Folder Access
My computer exploded. Dangit!
Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve
I'll search help files & Google for you.
-
Re: Grant Folder Access
Jeff,
> My computer exploded. Dangit!
In that case you don't have to worry about big red 1's allover!<g>
Lee White
-
Re: Grant Folder Access
>
> My computer exploded. Dangit!
>
I warned you...I WARNED YOU!!! :-)
Friedrich
-
Re: Grant Folder Access
Should have use a Mac! :-)
--
Russ Eggen
RADFusion International, LLC
-
Re: Grant Folder Access
Hi Friedrich,
I get the message.
I'm reticient to go the route of a backdoor, but then it's not practicable
to have an automatic install that can't "update" a child machine
automagically. I'm guessing that the security hole is essentially that
anyone can install an application (of the same name as my application) into
that folder? Or can they install anything with non-admin rights into that
folder?
Thanks very much for the tip. This is hugely appreciated.
Geoff