2. NSIS Discussion
  3. All Users Write Access

Archive: All Users Write Access


aspestrand
6th July 2007 02:32 UTC

All Users Write Access
I hope I'm not repeating a post here but I couldn't find what I was looking for here on the forum.

In my installer I'm creating a directory under "All Users" by doing the following:

SetShellVarContext all
CreateDirectory $APPDATA\Foo

This works fine in XP but under Vista I do not have write permissions to the folder or any sub folders or files. When my application creates a file in $APPDATA\Foo it actually ends up being a virtualized file.

Is it true that if I change the permissions of the folder with the AccessControl plugin to allow writing that all sub-folders and files created after will then not be virtualized and actually be writable in the real $APPDATA\Foo and not the virtualized path C:\Users\THEUSERNAME\AppData\Local\VirtualStore\ProgramData\Foo\...?

Thanks for your time

kichik
6th July 2007 09:18 UTC

You should never do that. If you allow every user to write to the same folder you allow each user to affect other users. If you want an administrator to be able to change global settings, you should create a separate elevated application or dialog to do that.

aspestrand
6th July 2007 17:48 UTC

We actually just have a database stored there that needs to be accessed by all of our users. That's why it's in the All Users folder. That, as I understand it, is what the All Users folder is for is it not?

aspestrand
6th July 2007 17:50 UTC

So will the AccessControl plugin do what I explained earlier?

kichik
6th July 2007 18:24 UTC

The AccessControl plug-in can change the permissions of that folder, but you shouldn't give users a write permission to a common folder. Every change one user makes will affect all other users. That change doesn't have to be with your program. A user can completely delete that database or even corrupt it in a way that your program will crash.

aspestrand
6th July 2007 18:27 UTC

That's OK. This is just a temporary situation where the DB is shared between users. In the meantime, this is the route we've decided.

So, what about virtualization? Will the AccessControl plugin solve that issue as well?

kichik
6th July 2007 18:32 UTC

No, that probably happens due to Vista compatibility trick. Adding a manifest should make it go away. If the problem is with the installer, use RequestExecutionLevel. If it's the application itself, you'll have to do it manually. You can copy the installer's manifest and modify it.

aspestrand
6th July 2007 18:36 UTC

Sorry. Both Vista and NSIS are fairly new to me. Are we talking about the Windows Manifest file? As in foo.exe.manifest? Or is there an NSIS manifest file? If it's the former, I'm not quite sure what you mean.

Thanks for the help.

kichik
6th July 2007 19:11 UTC

We're talking about the Windows manifest file which can also be embedded in the executable as a resource. That's what NSIS does - it embeds the manifest as a resource when you use RequestExecutionLevel. You can copy that manifest using a resource editor.

aspestrand
6th July 2007 19:32 UTC

Ah I see. So what your saying is I could modify the manifest to give our application Admin level privileges? If that's the case, wouldn't the UAC prompt come up asking permission to run the application?

kichik
6th July 2007 19:51 UTC

No, that's not what I'm saying.

The manifest has one more "feature" up its sleeve. It tells Vista the application knows what Vista is and so handles all sorts of cases like this one. Vista therefore turns off all sorts of compatibility tricks it has for older applications.

aspestrand
6th July 2007 19:54 UTC

I understand now. Sorry for the confusion. Do you have a snippet I can add to my manifest to produce these effects? Or perhaps a link I could check out?

kichik
6th July 2007 19:57 UTC

The manifest that the installer uses has all you need. The following goes under <assembly>

<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
</requestedPrivileges>
</security>
</trustInfo>

aspestrand
6th July 2007 20:03 UTC

Thank you very much. I'll give this a try and see if it solves our problem.

Your help is very much appreciated and thank you for your quick replies.

Fork me on GitHub