hotkebab99
21st June 2007 15:21 UTC
Change user to administrator
Hello,
I am a French user of NSIS so excuse me for my English ;)
In my society, each person has got an user account on Windows 2000 without administrator rights.
I want to give them a NSIS installer which will modify registry keys so this installer must be running with administrator rights. The problem is that users don't have the right to modify registry keys. Only administrator account got then.
Is it possible in the installer script to give to the installer the administrator password and tell him to use the administrator account with this password ? With this, the installer will run under administrator so registry keys will be modified.
Do you have any solution to my problem ?
Thank you very much !
sgiusto
21st June 2007 21:51 UTC
ctrl+right click the installer exe and choose execute as?
or put the installer exe in a cmd file with the runas command?
hotkebab99
25th June 2007 08:55 UTC
Originally posted by sgiusto
ctrl+right click the installer exe and choose execute as?
or put the installer exe in a cmd file with the runas command?
Of course...
But the interest is that all users of my company (even those who don't have a lot of knowledge in computer) can receive an installer (a patch for a program for example) and can execute it in administrator mode whitout giving them the admin password.
How to do that with NSIS ?
kichik
25th June 2007 19:56 UTC
You're talking about privilege escalation. An ability for every program to do such a thing would result in total chaos, giving everything and everyone administrator privileges on your computer. It'd be considered a serious vulnerability.
If you want to implement such a mechanism, you will have to write a service that'd run on each of your company's computer and have your installers communicate with it for getting administrator privileges. To keep it safe, you'll probably want to digitally sign every installer and verify that signature in your service.
There might be a service already available that does this. I think MSI has such a capability for signed installers.
helix400
25th June 2007 20:33 UTC
Heh, you have a tough situation.
The UAC plugin can elevate the NSIS installer process from standard user rights to admnistrator user rights. Provided:
1) An adminstrator account exists with a password. (There must be a password. It cannot work without a password).
2) You are comfortable giving that adminstrator password to standard users.
http://nsis.sourceforge.net/UAC_plug-in
But it sounds like you want to give standard users installers that can have administrator rights without having to type in a password.
If this is the case, then the MSI installer is probably the way to go, as it is designed specifically for these scenarios.
helix400
25th June 2007 20:36 UTC
Further, one other option is to set up a system where the users don't update their own software, but rather, YOU deploy the updates to the users for them.
I don't work in large scale, enterprise environments, but I hear people discuss doing this all the time.
psyki
17th July 2007 15:18 UTC
yes, those are MSI packages ;)