Nicolas Cuny
5th October 2005 12:29 UTC

Allow simple user to overwrite files
Hello,

I would like to know if there is some way (in NSIS or other) to allow simple Windows users (non-admin) to overwrite files created by an admin.

Scenario :

An admin installs my application for every user. The data is huge (700 MB) and can not be duplicated for each user. But still i would like every user to be able to update data (which means overwriting files created during installation).

Solutions :

- changing the rights on each file, or
- creating the files in a special place where everyone can overwrite them

But i don't know how to do that ! If you think it is impossible please say so. Thank you for your answers :)

kichik
5th October 2005 13:58 UTC

You can use the AccessControl plug-in to set the access rights to those files, or you can modify your program to look for those files in a user's private folder first. $APPDATA is usually used for this (see MSDN).

Nicolas Cuny
5th October 2005 15:12 UTC

Hi kichik,

I tried to store data files in $APPDATA after a "SetShellVarContext all" but according to my tests simple users still have no right to overwrite them (when installed by an administrator).

The AccessControl plug-in looks promising though ... Thank you very much !

kichik
5th October 2005 15:16 UTC

The idea was not to use this for all users, but to use this for each user. It's not a change that needs to be done in the installer, but rather in the program itself. The program needs to look for its files in the Application Data folder, and only then in the program folder. This way, the user can create his/her own configuration without affecting all of the other users and without any special permissions.

Nicolas Cuny
5th October 2005 15:33 UTC

I understand that. My case is a special one because the application is shipped with an automatic updater that not only adds data files (several hundred MB of pdf, rtf, jpg ...) but also overwrites some program files (.exe and .swf).

Putting data files in each user's $APPDATA would mean duplicating hundreds of MB.

Now you will say : "Updating such an app should be the administrator's job !" and i couldn't agree more but our client has a weird setup of TabletPC given to employees all other the country, never coming back, and a strong security policy which forbids giving employees the administrator password.

I will try the AccessControl plug-in right now ... Thanks again.

Nicolas Cuny
7th October 2005 11:13 UTC

Ok ! AccessControl is working for me ... this is what i did to grant full control to any user on a file :

AccessControl::GrantOnFile "$MYFILE" "(S-1-5-32-545)" "FullAccess"

cacls myfile.xml /E /G (S-1-5-32-545):F
cacls myfile.xml /E /G BUILTIN\USERS:F

cacls myfile.xml /E /G BUILTIN\Utilisateurs:F

kichik
7th October 2005 12:43 UTC

As the group name is translatable, you should use the well known SID S-1-5-32-545.

Nicolas Cuny
7th October 2005 14:03 UTC

Originally posted by kichik
As the group name is translatable, you should use the well known SID S-1-5-32-545.

cacls myfile.xml /E /G (S-1-5-32-545):F
cacls myfile.xml /E /G S-1-5-32-545:F

kichik
7th October 2005 14:11 UTC

Sorry, missed the first one line. Maybe CACLS doesn't support SIDs? Seems very unlikely.

Nicolas Cuny
7th October 2005 15:32 UTC

I will use SetACL
I discovered SetACL which is a nice GPL tool that performs the same tasks as CACLS but seems to be more convenient, has an ActiveX Control version and supports SIDs.

SetACL
    -on "C:\Program Files\My Software"
    -ot file
    -actn ace
    -ace "n:S-1-1-0;p:full;s:y"