I guess any executable that is run as administrator can change the permissions, but I'm not sure exactly what functions are used for it. Perhaps SetSecurityInfo can do it.
When creating an installer, the installer creator should have an option for it. I don't have much experience with it, but with Inno Setup for example it's easy to add the permissions, http://www.jcmiras.net/jcm/item/27/.
I found with Google that MSI installers can change it with the LockPermissions table (from Orca or whatever installer creator is used).
current working directory for running exe
Quote:Original post by Erik Rufelt
I guess any executable that is run as administrator can change the permissions, but I'm not sure exactly what functions are used for it. Perhaps SetSecurityInfo can do it.
When creating an installer, the installer creator should have an option for it. I don't have much experience with it, but with Inno Setup for example it's easy to add the permissions, http://www.jcmiras.net/jcm/item/27/.
I found with Google that MSI installers can change it with the LockPermissions table (from Orca or whatever installer creator is used).
Cheers.
Quote:Original post by Erik Rufelt
Regular users can't write to the common app-data directory either
I don't think that's the case, this is the ACL I get on the ProgramData folder on 7 Ultimate and Server 2k8 SP2 which I'm sure I haven't modified.
Security Info for c:\ProgramDataOwned by: BUILTIN\Administrators ACCESS RIGHTS-----------------NT AUTHORITY\SYSTEM has access 0x1f01ff and can: Delete the Object Read the Security Descriptor Write/Amend the Object DACL Write/Amend the Object Owner Use Synchronization Functions on the Object Access All Object Specific PermissionsBUILTIN\Administrators has access 0x1f01ff and can: Delete the Object Read the Security Descriptor Write/Amend the Object DACL Write/Amend the Object Owner Use Synchronization Functions on the Object Access All Object Specific PermissionsCREATOR OWNER has access 0x10000000 and can: Request All Object Specific PermissionsBUILTIN\Users has access 0x1200a9 and can: Read the Security Descriptor Use Synchronization Functions on the Object List Directory Contents Read Extended Attributes and Properties Traverse DirectoryBUILTIN\Users has access 0x116 and can: Create Subdirectory Add File to Directory Write Extended Attributes and PropertiesEdit: The DACL seems more permissive than the one in XP, which does disallow write access for BUILTIN\Users but allows it for Authenticated Users instead.
Quote:
I guess any executable that is run as administrator can change the permissions, but I'm not sure exactly what functions are used for it
For files, the easiest way is a combination of filling out an EXPLICIT_ACCESS struct, GetNamedSecurityInfo to get the current ACL (you can specify NULL for all the other output parameters), SetEntriesInAcl to create a new one containing the new ACE and then SetNamedSecurityInfo to actually update the SD. There's also a sample.
[Edited by - adeyblue on December 25, 2009 2:08:20 PM]
I see. It failed for me during some testing on Vista, but perhaps it was only for the guest user. I see that on my system there's "special permissions" which allow writing for Users here too..
It makes sense that the guest users shouldn't change shared application settings, but I used a library that require write access to it's files whenever the program is run.
It makes sense that the guest users shouldn't change shared application settings, but I used a library that require write access to it's files whenever the program is run.
This topic is closed to new replies.
Advertisement
Popular Topics
Advertisement
