0

I've been using NSIS as a packaging tool on a Windows 7 box.

I've very carefully set the file ownership and permissions to what I want in the source directory.

However, when I perform the packaging and then deploy the package, it has changed all file ownerships to "Administrators".

I originally had the "RequestExecutionLevel admin" but even after removing the line, NSIS continued deploying the files with "Administrators" as the owner.

This is giving me a huge headache.

I'd appreciate any leads on this.

I have deployed the "AccessControl" plugin but haven't found its documentation yet, so that would be useful too.

Jim2B
  • 167
  • 9

2 Answers2

1

NSIS does not preserve the permissions from your source directory (It would be annoying and would not work on FAT32 and Posix)

There is a group policy setting in Windows that decides if files created by a user in the administrators group belongs to all administrators or just that single user.

OutFile Test.exe
RequestExecutionLevel user
InstallDir "$Temp\Test"

Section
SetOutPath "$InstDir"

!addplugindir "C:\NSIS\MyDownloadedPlugins\AccessControl\Plugins\"
AccessControl::SetFileOwner "$InstDir" "Anders"
Pop $0
DetailPrint $0

; S-1-5-32-545 is BUILTIN\Users
AccessControl::GrantOnFile "$InstDir" "(S-1-5-32-545)" "GenericRead + AddFile + AddSubdirectory"
Pop $0
DetailPrint $0

AccessControl::DenyOnFile "$InstDir" "(BA)" "AddFile" ; Silly example: Don't let people in the Administrators group create new files
Pop $0
DetailPrint $0

SectionEnd
Anders
  • 97,548
  • 12
  • 110
  • 164
0

I think this section on RequestExecutionLevel probably explains my issues with NSIS setting the ownership to admin.

4.8.1.34 RequestExecutionLevel

none|user|highest|admin

Specifies the requested execution level for Windows Vista and higher. The value is embedded in the installer and uninstaller's XML manifest and tells Windows which privilege level the installer requires. user requests the a normal user's level with no administrative privileges. highest will request the highest execution level available for the current user and will cause Windows to prompt the user to verify privilege escalation. The prompt might request for the user's password. admin requests administrator level and will cause Windows to prompt the user as well. Specifying none, which is also the default, will keep the manifest empty and let Windows decide which execution level is required. Windows automatically identifies NSIS installers and decides administrator privileges are required. Because of this, none and admin [and default] have virtually the same effect.

It's recommended, at least by Microsoft, that every application is marked with a required execution level. Unmarked installers are subject to compatibility mode. Workarounds of this mode include automatically moving any shortcuts created in the user's start menu to all users' start menu. Installers that need not install anything into system folders or write to the local machine registry (HKLM) should specify user execution level.

More information about this topic can be found on MSDN.

Basically setting the requested access level to anything other than user|highest OR not setting it results in everything being set to admin.

My solution will be to set the requested access level to user.

Jim2B
  • 167
  • 9