2

The Wix source code that I feed to the Wix compiler to build an MSI package for my application, contains the following PermissionEx directive, part of a file component which Windows Installer should install with additional (to those that should be inherited by default) permissions:

<PermissionEx Sddl="D:AR(A;;FW;;;BU)" />

As you can surmise, I intend to install the file with inherited permissions ("AR") included in its ACL and on top of that allow members of the Built-in Users group ("BU") to be allowed ("A") to write to the file ("FW").

The code above does not have the desired effect -- the file is installed, but only that single explicit ACE is listed, none of the ACEs that are supposed to be inherited from parent folder.

In contrast, if I subsequently remove all permissions from the file and run cacls file /S:D:AR(A;;FW;;;BU), i.e. specify exactly the same SDDL string, it does work as intended -- the permissions from parent are inherited and form part of the ACL, together with the explicit non-inherited ACE.

I am using Wix 3.11.1.2318 and the Windows Installer version is 5.0.16299.611, all running on Windows 10 Enterprise 64-bit. Orca tells me the MsiLockPermissionsEx table embedded in my built MSI file is populated with the intended SDDL record. So why is the file created without inheriting permissions from its containing folder?

I tried to use "AI" in place of "AR", and both strings together, but none of it had any effect either.

Is this some known limitation or a quirk with Windows Installer? I know that people were talking a while back how the old LockPermissions table (the one specified for Windows Installer versions earlier than 5) was inadequate in this specific regard -- inherited permissions, namely -- but they also said Microsoft was out to address this very issue with the new table feature.

Otherwise what am I doing wrong?

Improve this question
1

2 Answers 2

Reset to default
4

Given your knowledge in this field, you probably have already tried this. It would also be much better to eliminate the need for permissioning, but two snippets for you - notice the Append attribute:

Create a WiX project in Visual Studio. Add the Util namespace to the WiX element:

<Wix xmlns="http://schemas.microsoft.com/wix/2006/wi"
     xmlns:util="http://schemas.microsoft.com/wix/UtilExtension">

In Visual Studio project, right click References and add reference to "%ProgramFiles(x86)%\WiX Toolset v3.11\bin\WixUtilExtension.dll".

Permission Folder:

<Component Feature="ProductFeature" Id="Test.exe" Guid="PUT-GUID-HERE">
   <File Source="C:\Test.exe" />
   <CreateFolder>
     <util:PermissionEx User="Power Users" GenericWrite="yes"  />
   </CreateFolder>
</Component>

Permission File:

<Component>
   <File Source="C:\Test2.exe">
      <util:PermissionEx Append="yes" User="Users" GenericWrite="yes" />
    </File>
</Component>
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

Take a look at WiX's custom PermissionEx in the Util extension.

http://wixtoolset.org/documentation/manual/v3/xsd/util/permissionex.html

Improve this answer

13 Comments

Did they write that extension because MSILockPermissionsEx is buggy?
I believe they wrote it before MSILockPermissionsEx because LockPermissions was buggy. Also MSILockPermissions was an MSI 5.0 only thing and wasn't available on downlevel systems. It's hard for me to remember some of the history / trivia over the past 20 years so I'd have to go search the archives to give an official answer. But there are certainly certain MSI features that just aren't used anymore because of buggy issues such as Concurrent/nested installs, third party merge modules, COM tables vs registry table, chained installs, delta patches, LockPermissions and so on.
Great list Chris. I wish one of those elements would be called PermissionEx2 or something like that (like some Win32 APIs). Problematic MSI constructs? I would add per-user setups, install from source, and also GUI for being so clunky that people replace it. I don't like this content (very ad-hoc), but here is my list of common MSI pitfalls. And some borderline anti-patterns (towards bottom). Please avoid permissioning if you can. Some alternatives.
I found an article that hinted at different behavior when security information is set on an object with the now obsolete SetFileSecurity procedure vs using its intended replacement (as per Microsoft doc.), SetNamedSecurityInfo, where the former does not result in inherited ACEs being included. I wrote a program as an attempt to see if there is truth to it, which it seems there is -- gist.github.com/amn/e0553d80f93620909247ea91d94f9f83
@amn It should be possible to set the ACL on the new folder to allow writes to the folder with inheritance using util:PermissionEx (IIRC, it always respects inheritance). I expect there is a way to do it with SDDL as well but my SDDL-fu is quite rusty at this time. Best of luck.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.