0

I've created an Installshield 2015 (Installscript) which installs a .NET application in an installation directory.

The .NET application relies on a SQL CE 4.0 database.

The installation process is run under Administrator or local administrator account.

In Installshield project, I've put the emptied SQL CE 4.0 Database .sdf file into the [CommonAppDataFolder]. Installation process will copy the database in the following location :

Windows Vista (or later) : C:\ProgramData\MYCOMPANY\MYAPP\database.sdf

At the end of the installation process, the MSI will call a batch file to set write permissions for the "Users" group like this (because of ownership taken when creating the file in the commonAppData folder) :

icacls C:\ProgramData\MYCOMPANY /T /grant *S-1-5-32-545:W

The application will be executed under a standard user process (not elevated by UAC) in order to connect and write to the compact database by members of the "Users" group.

I was wondering if I was allowed to perform the 'icacls' command without creating a security hole for IT administrators and if I had to take into account other group SIDs ?

Thanks in advance for your response,

user4953001
  • 49
  • 9
  • Side question (for after you figure out if this is a good idea): have you considered using SetObjectPermissions to avoid having to shell out to icacls? – Michael Urman Mar 16 '16 at 12:06
  • Not at all, I'll consider using it because it looks like a more elegant way to deal with ACL assignment using installscript. – user4953001 Mar 16 '16 at 12:33

1 Answers1

0

It's acceptable to run icacls commands on folders & files which your installation created. Doing so on any other folder is considered a security breach (and some defensive software are able to detect and prevent it).

However, at least in corporate environment, I would advise against hard-coded SID, unless there is a really good reason (e.g. a user or group which your installation creates by itself).
Instead, the setup should present a dialog allowing to specify users and/or groups (local ones and, if applicable, domain ones) to which the permissions will be applied (effectively, those who can run the application).
You can use the SdLogonUserBrowse() function for this purpose.

yossiz74
  • 889
  • 1
  • 9
  • 16
  • Thanks, I'll try to implement this dialog and store the users/groups selection then apply the SetObjectPermissions to each item of the selection. I'll be back to mark this as an answer. Overall, it's best if I can manage ACL permissions by writing a single installscript code block instead of Dos batch file. Kind regards, – user4953001 Mar 16 '16 at 12:35
  • Almost there! SdLogonUserBrowse dialog is called during installation sequence but after clicking on the browse button, a popup is displayed "ISNetApiRT.dll is not loaded or there was an error loading the dll. This dll needs to be loaded for this operation. Verify that the dll is in the SUPPORTDIR directory". – user4953001 Mar 16 '16 at 17:26
  • Correct! I totally forgot about it. You should add it to the 'Support Files\Language Independent' section in your project (under Bahvior and Logic). Copy it from C:\Program Files (x86)\InstallShield\2015\Redist\Compressed Files\Language Independent\Intel 32\ISNetApiRT.dll – yossiz74 Mar 16 '16 at 19:15
  • I've inserted file above files in IS project -> Behavior and Logic -> Support Files/Billboard but still getting the same error on the dialog. – user4953001 Mar 17 '16 at 08:27
  • In order to debug, I created a new Installscript MSI project, ISNetApiRT.dll was already present in the Support Files/Billboard section. I've modified the Build->Settings and added the NetApiRT.obl reference. Then, I've overloaded the Behavior and Logic -> Installscript -> Before Move Data -> OnFirstUIBefore scripting. I've built and run the simple MSI project and still getting the dll is not loaded error when clicking on Browse button of the SdLogonUserBrowse dialog. – user4953001 Mar 17 '16 at 10:28
  • I see now. We use it in an InstallShield 2008 project, but somewhere along the way to InstallShield 2015 they changed the API, so those functions are only work when used by the SdLogonUserInformation() function. While you can try working around it (since the 'private' code is available in NetApiRT.rul so you can probably just include it directly in your project), I think that it would be much simpler to just run the system command 'net localgroup' and/or 'net group /domain' and then have the user select one from the list. – yossiz74 Mar 17 '16 at 10:36
  • It worked perfectly using the SdLogonUserInformation dialog. Thanks again for your help! – user4953001 Mar 17 '16 at 12:02