Calcs.exe, Assigning the permissions

Prafful Sharma's picture
Prafful Sharma
April 28th, 2009
Hi

I am using cacls.exe in my wise program, Do we have any inbuilt equivalent in WISE Script which I can make use of.

Currently I am shelling out using cacls and this is causing issues in Vista. In short I want to get rid off the Black colour windows in Vista.

if someone can assit in suggesting if there was any equivalent in WISE Scripting world to make use of ?


Thanks

Prafful Sharma
Filed under: ,
+1 (1 vote)
VBScab's picture
VBScab
29 weeks 5 days ago

I can't think of any

I can't think of any packaging product which caters *properly* for permissioning (if ANYONE mentions Windows Installer's Lockpermissions table I will seek them out and.....)

Why not shell out to START.EXE instead? You can tell it that you don't want a window using the '/B' switch. Also, get to know SetACL instead of CACLS, as it can permission the registry as well as the file system.

Don't know why 'x' happened? Want to know why 'y' happened? Use ProcMon and it will tell you.
Think about using http://www.google.com before posting.

+1 (1 vote)
EdT's picture
EdT
29 weeks 5 days ago

How are you calling CACLS

Do you still get the same issues in Vista if you turn off the UAC ? 
How are you calling CACLS?  Immediate/Deferred CA?  User or System context?
Are you setting permissions on a local or global basis?

Apart from SetACL, there is also the native secedit utility that is installed automatically with current Windows operating systems.

If your issue has been solved, please use the "Mark as Solution" link on the most relevant thread.

+1 (1 vote)
philbenson's picture
philbenson
29 weeks 5 days ago

Another

way would be to "wrap" the cmd.exe / command shell in a WSE script, and call it using the "hidden" parameter. any parameters passed to the shell are executed, but are hidden. As the wse script can be set to "As Invoker" you should not have any problems with permissions under Vista.
As Ian has already stated, the lock tables *should not* be used.
Personally I prefer to use SecEdit + security template, as this is more flexible that CACLS, and not as complicated as SetACL.
Cheers
Phil

+1 (1 vote)
AngelD's picture
AngelD
29 weeks 4 days ago

Take advantage of the

Take advantage of the wixca.dll as posted by spartacus at Suppress Custom Action EXE, it will do what you are after.

+1 (1 vote)
Prafful Sharma's picture
Prafful Sharma
29 weeks 4 days ago

secedit and setacl

I will make use of SetACL and secedit utilities to see if these made a difference also check on wixca.dll.
Thanks

+1 (1 vote)
VBScab's picture
VBScab
29 weeks 4 days ago

Using a different tool won't

Using a different tool won't alter the fact that you get a UAC prompt . We are just presenting alternative tools. You'll need the WixCA.DLL work-around to bypass the prompt.

Don't know why 'x' happened? Want to know why 'y' happened? Use ProcMon and it will tell you.
Think about using http://www.google.com before posting.

+1 (1 vote)
philbenson's picture
philbenson
29 weeks 3 days ago

UAC...

Hi Ian,
if you create a wse script that wraps the call to Secedit with the parameters (ensuring that the wse is compiled to be called "as involker"), and the CA that calls the wse script is in execute deferrred (of course, making sure that the deferred seq. is evelated) then you do not get the UAC prompt...

Cheers
Phil

0 votes
piyushnasa's picture
piyushnasa
28 weeks 5 days ago

Other options

Hi,some more details and other options for giveing permissions can be seen in my article here:
www-secure.symantec.com/connect/articles/different-ways-giving-permissions-your-windows-installer
 
Hope this helps.

Piyush Nasa
Altiris Certified Professional (ACP)

+2 (2 votes)
kevin.elwell's picture
kevin.elwell
24 weeks 5 days ago

Another Option

We have recently been using SetACL.exe to perform the permission settings. We integrate this into our MSI/WSI templates so all you have to do is create a property with the directory that you want the permissions created on.
One of our technicians found this and implemented it into the WSI template for our use. 
If the property is not there, it doesnt worry about the SetACL.exe. We set a custom action in execute deferred that is directly below Create Folders. It calls the SetACL.exe and applies the permissions to the directory and all sub directories that may get created as well. This is done before all the files are installed, so it is much quicker than running cacls after the directory is populated. We have a function that is in our wrapper that looks for the SetACL.exe on the local machine, if it is not there, it copies it down to the pc. Eventually this file will be in all our corporate images.
The SetACL.exe can be found here and it has many examples there as well. It is a very robust application as it can set directory, registry, services, and more.

Good Luck

Kevin Elwell

+1 (1 vote)
VBScab's picture
VBScab
27 weeks 6 days ago

So, you must therefore have a

So, you must therefore have a separate action for extracting the EXE from the Binary table, right?

Don't know why 'x' happened? Want to know why 'y' happened? Use ProcMon and it will tell you.
Think about using http://www.google.com before posting.

0 votes
kevin.elwell's picture
kevin.elwell
24 weeks 5 days ago

Extracting

We are coping the SetACL.exe to the local machine, we do not extract it at all fromt he binary table. As i stated, we currently copy the file locally using VB Script in our wrapper. However, the tech that implemented this has engaged our engineers to make the SetACL.exe part of our corporate images. So moving forward, we will not need to copy the file down, it will already be there.

We use a CA with the following code:

C:\SampleDirectory\SetACL.exe -on [_SetPermissions] -ot file -actn ace -ace "n:S-1-5-32-545;p:full;s:y" -actn clear -clr "dacl,sacl" -actn rstchldrn -rst "dacl,sacl" -actn list -lst "f:tab;w:d,s,o,g;i:y;s:b" -rec cont_obj -log C:\SampleDirectory\SetPermissions.log -silent

Kevin Elwell

+1 (1 vote)
John McFadyen's picture
John McFadyen
27 weeks 5 days ago

Repackaging vs End user deployment

Take note that all of you using CA's like this should be using the Directory variables and CustomActionData if your users have the ability to change the installation locations.

for example

[Directory]
[#filekey]
[$componentkey]

If you hardcode the path in your CA's and the users changes the installation directories your install's will fail. You should be building these CA's to cater for ALL installation scenario's for best practice results.

0 (2 votes)
kevin.elwell's picture
kevin.elwell
27 weeks 4 days ago

Our Enviornment

We are deploying packages via Microsoft SMS. The end users will not have the ability to change any install directories. We install silently or minimum GUI for the clients in 98% of deployments. Some cannot be done silently. We also make it as easy as possible on the end users for licensing, configs, etc. We do our best to build all that into our packages.

Great points from everyone!

Thank you.

Kevin Elwell

+1 (1 vote)
EdT's picture
EdT
27 weeks 5 days ago

Good point

However, permissioning is usually an aspect of a corporate environment where the installation locations tend to be hard coded to fit in with the build design. Hopefully, any software intended for public consumption will follow the correct coding practices so that any content requiring write access will be in the user folders where write access is already provided.
The good thing is that the increasing security of operating systems such as Vista is forcing developers to mend their ways and produce better code that does not assume each user is a local admin.

If your issue has been solved, please use the "Mark as Solution" link on the most relevant thread.

0 (2 votes)