Go Back   Winamp & Shoutcast Forums > Developer Center > NSIS Discussion

Reply
Thread Tools Search this Thread Display Modes
Old 16th September 2015, 09:33   #1
hellik
Junior Member
 
Join Date: Mar 2010
Posts: 14
correct file/folder permission setting for a nsis installer subprocess

hi,

we have a nsis installer script [1], which writes out a windows bat-file [2].

this bat-file sets some variables and is called during installation [3], subsequently this bat-file invokes some exe-file [4] which scans the system for fonts and updates a file in $INSTALL_DIR\some subfolder.

this worked for the most of the win 7 boxes, but it doesn't work for most of win 8 and win 10 boxes, as it seems file/folder permission management has changed between win 7 and win 8/win10.

any hints how to set correctly file/folder permissions for nsis subprocess invoking a bat and subsequently an exe which updates a file in $INSTALL_DIR\some subfolder?

best
Helmut

[1] https://trac.osgeo.org/grass/browser...aller.nsi.tmpl

[2] https://trac.osgeo.org/grass/browser....nsi.tmpl#L534

[3] https://trac.osgeo.org/grass/browser....nsi.tmpl#L592

[4] https://trac.osgeo.org/grass/browser....nsi.tmpl#L560
hellik is offline   Reply With Quote
Old 16th September 2015, 13:00   #2
Anders
Moderator
 
Anders's Avatar
 
Join Date: Jun 2002
Location: ${NSISDIR}
Posts: 5,539
File/folder permissions is something set on file system objects, you must set them globally and not per-process. It can be done by using the AccessControl plugin but it is not recommended to give all users write access to .exe/.dll files in $InstDir.

It might be a good idea to try Process Monitor from Microsoft and see if you are actually getting access denied when accessing the path or if there is some other problem...

IntOp $PostCount $PostCount + 1
Anders is offline   Reply With Quote
Old 16th September 2015, 21:21   #3
hellik
Junior Member
 
Join Date: Mar 2010
Posts: 14
thanks for your reply.

>It can be done by using the AccessControl plugin but it is not recommended to give all users >write access to .exe/.dll files in $InstDir.

I've tried to set permission to the file ($INSTALL_DIR\some_subfolder\file_to_be_updated) which should be updated during installation by the AccessControl plugin.

but this doesn't work as it seems the updating exe ($INSTALL_DIR\bin\exe_which_does_the_update) has no (over)write access in $INSTALL_DIR\some_subfolder\ or $INSTALL_DIR\some_subfolder\file_to_be_updated.

the update of $INSTALL_DIR\some_subfolder\file_to_be_updated has only to be done during installation.

a workaround/hack may be?:

- set permission to (over)write $INSTALL_DIR\some_subfolder\file_to_be_updated
- set write permission to $INSTALL_DIR\bin\exe_which_does_the_update
- do the file update as described by invoking bat-file and subsequently exe
- set permissions of $INSTALL_DIR\some_subfolder\file_to_be_updated and $INSTALL_DIR\bin\exe_which_does_the_update back

any other hints?

thanks
hellik is offline   Reply With Quote
Old 16th September 2015, 22:14   #4
Anders
Moderator
 
Anders's Avatar
 
Join Date: Jun 2002
Location: ${NSISDIR}
Posts: 5,539
Why does Process Monitor say? If it is failing with access denied then we need to look at how you are calling AccessControl, otherwise it might be a wrong path issue...

IntOp $PostCount $PostCount + 1
Anders is offline   Reply With Quote
Old 17th September 2015, 08:41   #5
hellik
Junior Member
 
Join Date: Mar 2010
Posts: 14
setting permissions:

https://trac.osgeo.org/grass/browser....nsi.tmpl#L531

;grant $INSTDIR\etc read write accessible
AccessControl::GrantOnFile "$INSTDIR\etc" "(S-1-5-32-545)" "GenericRead + GenericWrite"
;grant modifying/overwriting fontcap file
AccessControl::GrantOnFile "$INSTDIR\etc\fontcap" "(S-1-5-32-545)" "GenericRead + GenericWrite + Delete"

the unfortunate situation is that the whole procedure works on some windows boxes and on some windows boxes not.

Process Monitor or a manually invoking of the bat file shows access denied.
hellik is offline   Reply With Quote
Old 17th September 2015, 13:24   #6
Anders
Moderator
 
Anders's Avatar
 
Join Date: Jun 2002
Location: ${NSISDIR}
Posts: 5,539
Quote:
Originally Posted by hellik View Post
the unfortunate situation is that the whole procedure works on some windows boxes and on some windows boxes not.
Are some of these 64-bit and some 32-bit versions of Windows?

You should also check if AccessControl failed:

Quote:
AccessControl::GrantOnFile ...
Pop $R0
DetailPrint $R0 ; Will be "error" if it failed
You could also try granting FullAccess, you are currently missing GenericExecute when trying to be specific...

IntOp $PostCount $PostCount + 1
Anders is offline   Reply With Quote
Old 17th September 2015, 21:28   #7
hellik
Junior Member
 
Join Date: Mar 2010
Posts: 14
> Are some of these 64-bit and some 32-bit versions of Windows?

it works for me for win 7 32-bit and 64-bit; users reported that it doesn't work for win 8/win 10 64-bit.

> You should also check if AccessControl failed:

added it to the nsis script, waiting for the daily build of the installer and report back

> You could also try granting FullAccess

will try it
hellik is offline   Reply With Quote
Old 22nd September 2015, 17:05   #8
hellik
Junior Member
 
Join Date: Mar 2010
Posts: 14
a short update on this after some testing.

> You could also try granting FullAccess
> You should also check if AccessControl failed

I've added to the script granting FullAccess to folder "$INSTDIR\etc" and file which should be updated and a check of failing/success AccessControl [1].

furthermore I've elevated the bat file, which is called by the installer, to administrator by adding elevation to the bat manifest [2].

test report:

- setting AccessControl ok and file is updated:

win Vista 32bit
win 7 32bit and 64bit
win 8.1 64bit

- setting AccessControl ok, but file is not updated:

win 10 64bit in a virtual machine

[1] https://trac.osgeo.org/grass/browser....nsi.tmpl#L531
[2] https://trac.osgeo.org/grass/browser....nsi.tmpl#L588
hellik is offline   Reply With Quote
Old 24th September 2015, 13:00   #9
Anders
Moderator
 
Anders's Avatar
 
Join Date: Jun 2002
Location: ${NSISDIR}
Posts: 5,539
I don't think .bat files support manifests but if the parent process is elevated then the .bat file should be elevated as well.

I assume you have verified the permissions on the security tab in the properties for the files/folders in question on the systems it fails on?

If it works on some systems and not on others you should probably move your investigation to g.mkfontcap.exe...

IntOp $PostCount $PostCount + 1
Anders is offline   Reply With Quote
Reply
Go Back   Winamp & Shoutcast Forums > Developer Center > NSIS Discussion

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump