2. NSIS Discussion
  3. Vista: Set Access to Full Control after install

Archive: Vista: Set Access to Full Control after install


paraLogic
5th July 2007 03:20 UTC

Vista: Set Access to Full Control after install
After looking through a lot of posts here about UAC and so forth, I'm not able to find the answer for this. Apologies if it's been discussed before.

I'd like to know if it's possible to set ALL installed files to Full Control for "user" level.

I have an install script using the Required Level set to admin, because we do HKLM writes and so forth. The problem is, after the install finishes ALL files are set to Read/Execute only to the user level. This makes it so our update software doesn't work (invalid rights).

Rather than force the user to "Run as Admin", I'm curious if it's possible to set all the files to Full Control for "user" level, maybe at the end of the install. Even if it takes some sort of system call?

I've installed a few other programs with UAC on, that don't seem to be aware of Vista (much like ours originally), and their files are not read/execute only. So I'm wondering if it's an NSIS thing?

paraLogic
5th July 2007 04:00 UTC

I guess I found a solution, maybe not the best, but I added :

ExecWait 'icacls "$INSTDIR" /grant BUILTIN\Users:F /T /Q'

To the end of the install section. Probably bad practice, eh?

Anyway to suppress the command prompt pop up?

kichik
5th July 2007 06:10 UTC

Very bad practice. You're allowing every user to modify executables all other users are running as well. That's a security breach. What you really should do is run the update mechanism as admin. If it happens when the program starts, have it pop-up UAC when the update itself runs. If it's a service running in the background, make it a real service, running under SYSTEM.

paraLogic
5th July 2007 14:08 UTC

Originally posted by kichik
Very bad practice. You're allowing every user to modify executables all other users are running as well. That's a security breach. What you really should do is run the update mechanism as admin. If it happens when the program starts, have it pop-up UAC when the update itself runs. If it's a service running in the background, make it a real service, running under SYSTEM.
We were doing the update as admin except the way our update works right now is that it runs first every time the app is launched. This forces a Allow/Deny prompt every time the app is opened. Our employer doesn't like that idea very much at all :P

We've been trying to rewrite the update procedure for over 1.5 years now, but we're never given enough dev time to do it. Maybe I can convince them now, since it is a security breach as you say.

Thanks for the tip.

Fork me on GitHub