Hi, Friedrich,

Someone sent me a script to look at. Its basic problem is that ordinary
users can't run the app once it's installed.
The reason is that ALL the files in the installation folder have their
inheritance removed (attached pic). Permissions on the parent folder inside
of Program Files are fine.
The only access control item in his script is to change permissions on a
registry key, but it's not completely filled in and doesn't do anything.
I can't see anything else in his script that would affect permissions this
way.
It's a web-based installation.

Wisdom, please :)

Jane

Hi Jane,

I also reviewed Mike's script, but did not find anything that could cause
the problem.

By default, the SetupBuilder installer itself does *not* manipulate any
security setting. And of course, the compiler does not write any security
setting from the source machine into the installer. Only the "Set Access
Control..." function can manipulate the ACL.

I don't have the script here at home. Do you see if any external cacls.exe
is executed from the script (or from an external component)?

Friedrich

CACLS is not run.
He doesn't include any support files or DLLs.
I don't know what the service he installs does when it first runs. But I
tried stopping and restarting it after I'd used CACLS to fix the permissions
and that did not break them again.

Jane

Hi Jane,

See private email in a minute. I think you had a very good idea.

Friedrich

Friedrich,
FWIW this happened once for me also. I was using wupdate and all permissions
were gone after the update. Since it only happened this one time I didn't
pay further attention at the time.

Peter

Peter,

Jane had an interesting idea and, IMO, it's well possible that this problem
is caused by the CopyFileA Windows API (used by the "Set Delayed File
Install" feature). I'll investigate his tomorrow when I am back in the
office. Then I'll check if the MoveFileA API could be a solution.

Friedrich

Interesting thought.
At the command-line, Copy and Move work differently.

Copy - files inherit permissions from the destination folder.
Move within a partition - files keep permissions
Move to another partition - inherit (as this is actually a copy-and-move)..

The behavior I experienced (screwed up permissions whether I installed his
app within C:\Program Files or to another folder I had the installer create
on the C: drive, but Full Control for Everyone when I installed to a folder
on the D: drive) seems to mimic the command-line "Move" behavior.

Jane

(make that "copy and delete")

Jane Fleming

Hi Jane,

And it gets even better...

I reviewed the source codes and debugged what is going on. Okay, when the
"Set Delayed File Install" feature is enabled, the installer writes files
directly into the temporary Windows folder. If the process completed
successfully, the "Stop Delayed File Install" makes use of the MoveFile
Windows API to move the files from the temporary folder to the final
location(s).

See attached screenshot. In the temporary folder, everything is okay
(Advanced Security Settings for SB68E.tmp). But after the MoveFile Windows
API call (from the temporary folder to the target location within the same
partition), the inherited permissions are gone!

Using the CopyFile Windows API followed by a DeleteFile fixes this.
Strange...

I'll send Mike a new sbkernel.lib to test it.

Thanks again for your help!

Friedrich

Strange, but not so strange... in that the differences between Move and
Copy I mention in my previous post behave similarly. I think the basic
difference is that "move" within a partition just modifies directory pointer
flags. Copy within a partition actually rewrites the file, so it then
inherits the access control entries from the ACL on the parent folder. And
Move between partitions is actually a copy-and-delete, so again the file
gets rewritten and gets a new ACL. Attached graphic is revealing.

A couple of things to keep in mind. Microsoft keeps tightening security -
as witness the new "ask me to run this" flag that gets set on downloaded
items.
Vista goes way beyond that with the integrity. IE7 is different on Vista in
that it has "Protected Mode" that helps isolate its stuff from the rest of
the system. It also introduces the concept of "integrity levels" on files
and on user and system accounts. Try using ICACLS on a Vista machine, as
CACLS won't display integrity levels. But that's not the issue here, as
this also affects XP boxes.

I just don't understand why it's broken now but has apparently worked
before. But then, there are patches and patches and we never know exactly
what's getting updated.

I knew the maestro would solve this :)

Jane

http://www.lindersoft.com/community_images/CopyMove.png

Hi Jane,

:) Thanks for the information. Very interesting.

I have developed an optional "Copy File" script function now that makes it
possible to copy files and permissions. I'll see if we can make it
available in SetupBuilder 7.

Thanks again for your help!

Friedrich

Oh my gosh......I can't believe the brainpower in this thread.

Thank you both so very much for helping me with this. The information you
were sharing I would have never known about.

And it gives me even more of an insight into what Friedrich must deal with
in the design of SetupBuilder.

Frankly after programming for 25 years it is getting to darn complex that
the fun is starting to go away.

Thank God I program in Clarion. I can't imagine how simply horrible it would
be in VB or Canything.

Mike

Hi Mike,

This was an ideal example of perfect team-work :)

I have to agree. The Windows operating system is now so complex that it
isn't realistic to understand the entire platform. When we make a new
SetupBuilder release available, we test it on 25 different Windows versions,
both 32- and 64-bit systems. I think the magic is to make the product
compatible with all OS versions. Major new SetupBuilder releases are tested
on a server farm. All this is very time and money consuming.

We have already optimized SetupBuilder 6.7 for Vista SP1 (RTM) and Windows
Server 2008 (RTM). This process took about four weeks.

I fear that things will not get better... <g>

Friedrich