0

How do I grant full access (read/write/delete) to a directory1 and all its sub-directories for all users using the NSIS language? I have seen this and all similar answers. They all recommend doing this:

AccessControl::GrantOnFile  "$APPDATA\${APP_NAME}" "(S-1-5-32-545)" "FullAccess"

I did it, but files created in "$APPDATA\${APP_NAME}" are still not accessible (can't be read/modified/deleted) for users other than the creator. None of the files can be modified, and some can't even be read. I am on Windows 7 64 bit. What am I doing wrong? I've also tried using "(BU)" instead of "(S-1-5-32-545)" and "GenericRead + GenericWrite" instead of "FullAccess". Neither helped.
I am using SetShellVarContext all and after executing the installer, the permissions look like this:

Permissions

My main goal is to store files that have to be read and modified by all users. If there is a better way of doing that, other than storing in "C:/ProgramData/MyApplication/" and giving all users permissions, that will also be useful.

1The directory is "$APPDATA\${APP_NAME}", which is C:/ProgramData/MyApplication/

Aykhan Hagverdili
  • 28,141
  • 6
  • 41
  • 93
  • Can you confirm that you are using `SetShellVarContext all`. Did you inspect the security of the directory in Explorer after granting? – Anders Sep 21 '19 at 16:42
  • @Anders yes, I am using `SetShellVarContext all` and, after executing the installer, the permissions for all users is "Full control", "Modify", "Write", but not others like "Read" or "Read & execute", "List folder contents", "Special Permissions" – Aykhan Hagverdili Sep 21 '19 at 16:49
  • @Anders added a screenshot showing the security properties – Aykhan Hagverdili Sep 21 '19 at 17:54
  • Any suggestions , why this below command is behaving differently in 2 different laptop ? AccessControl::GrantOnFile "$APPDATA\${MYAPP_NAME}" "(BU)" "FullAccess" – JDGuide Jan 10 '23 at 03:11
  • @JDGuide not quite sure. Maybe ask a new question with more details? – Aykhan Hagverdili Jan 10 '23 at 07:53
  • @AyxanHaqverdili , here i have posted the questions https://stackoverflow.com/questions/75065286/nsis-permission-not-working-as-expected-for-users – JDGuide Jan 10 '23 at 08:21

1 Answers1

1

While my security tab looks the same as yours, other non-admin users are able to write to files after the AccessControl call. If you click the Advanced button from your screenshot you should see the true ACL where there should be a non-inherited entry that gives full access to the users group.

RequestExecutionLevel admin
!define APP_NAME "SOTest"

Section
SetShellVarContext all

CreateDirectory "$APPDATA\${APP_NAME}"
nsExec::ExecToLog '"icacls" "$APPDATA\${APP_NAME}"'
Pop $0

AccessControl::GrantOnFile "$APPDATA\${APP_NAME}" "(S-1-5-32-545)" "FullAccess" ; or use S-1-1-0 for Everyone
Pop $0
MessageBox mb_ok "GrantOnFile returned $0"
nsExec::ExecToLog '"icacls" "$APPDATA\${APP_NAME}"'
Pop $0
SectionEnd

gives me

Create folder: C:\ProgramData\SOTest
C:\ProgramData\SOTest NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
                      BUILTIN\Administrators:(I)(OI)(CI)(F)
                      CREATOR OWNER:(I)(OI)(CI)(IO)(F)
                      BUILTIN\Users:(I)(OI)(CI)(RX)
                      BUILTIN\Users:(I)(CI)(WD,AD,WEA,WA)

Successfully processed 1 files; Failed processing 0 files
C:\ProgramData\SOTest BUILTIN\Users:(OI)(CI)(F) <-- Full access for users group
                      NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
                      BUILTIN\Administrators:(I)(OI)(CI)(F)
                      CREATOR OWNER:(I)(OI)(CI)(IO)(F)
                      BUILTIN\Users:(I)(OI)(CI)(RX)
                      BUILTIN\Users:(I)(CI)(WD,AD,WEA,WA)

Successfully processed 1 files; Failed processing 0 files

Even if you can make it work, it is not the correct way for a application to function. You can store initial/template data in the ProgramData folder but the first time a user runs the application it should copy the data from ProgramData to the users %AppData% folder. This of course means each user has their own private data. This has been the preferred method for at least 20 years.

If you still decide that the data should be writable and shared by all users, you have to remember that different users can run your application at the same time (Remote desktop etc.) and the application needs to synchronize access to the shared files when reading/writing.

Anders
  • 97,548
  • 12
  • 110
  • 164