2. NSIS Discussion
  3. AccessControl plugin

Archive: AccessControl plugin


Daniel James
28th February 2008 13:42 UTC

AccessControl plugin
I'm trying to use the AccessControl plugin to set permissions on a shared data directory so that all users can read/write/modify the files it contains.

The call I'm trying to make is:


AccessControl::GrantOnFile "$DataDir" "(BU)" "GenericRead + GenericWrite + DeleteChild"

This doesn't seem to be working ... have I got the syntax right? As it's more-or-less as copied from the page on the Wiki, I hope so! In particular, am I literally supposed to put "(BU)" as trustee for all built-in users or is that just a shorthand for "BUILTIN\USERS" in the example on the Wiki-page?

I'm using the current version of AccessControl (downloaded yesterday) and I see from the Wiki that in recent versions "Error messages are now just returned on NSIS stack" ... so presumably every call to GrantOnFile must be followed by a pop instruction to get the error status -- what form is that status in? Is it a Win32 numeric error code, or what?

It would be really nice to have some working example code (with error handling) on that Wiki page.

Afrow UK
28th February 2008 13:50 UTC

The return value is a string telling you what parameter is wrong. You may find that (BU) is not a valid trustee (anything in curved brackets must be an SID). Use (S-1-5-32-545).

http://support.microsoft.com/kb/243330

Stu

Daniel James
28th February 2008 15:17 UTC

Thanks

Originally posted by Afrow UK
The return value is a string telling you what parameter is wrong.
And is an empty string if everything worked? Seems to be, yes.

You may find that (BU) is not a valid trustee (anything in curved brackets must be an SID). Use (S-1-5-32-545).

http://support.microsoft.com/kb/243330
Hmm... Unless I'm mistaken that is the SID for the "Users" group, and not all users of a PC are members of that group (Administrators, for example, are not ... though they'll have the right rights anyway). Is that what "(BU)" is meant to mean? I really want to allow access to all/any users ...

Perhaps I should use "Everyone" (S-1-1-0)?

Incidentally, it seems that Windows does recognize 2-character abbreviations for well-known SIDs in some situations, so "(BU)" may well work as well as "(S-1-5-32-545)" (and maybe "(S-1-1-0)" can be written "(WD)") ... I had a look at the code for the AccessControl plugin and it strips the parentheses off the 'Trustee' string and passes it to ConvertStringSidToSid which is documented as accepting the 2-letter codes.

Thanks for your help.

Afrow UK
28th February 2008 15:21 UTC

Ah right my bad. Yes, BU stands for BUILTIN\USERS and WD stands for World - Everyone.

Stu

Daniel James
29th February 2008 09:13 UTC

Clarification

Originally posted by Me:
Incidentally, it seems that Windows does recognize 2-character abbreviations for well-known SIDs in some situations, so "(BU)" may well work as well as "(S-1-5-32-545)" (and maybe "(S-1-1-0)" can be written "(WD)") ... I had a look at the code for the AccessControl plugin and it strips the parentheses off the 'Trustee' string and passes it to ConvertStringSidToSid which is documented as accepting the 2-letter codes.
Just for the record: ConvertStringSidToSid only accepts abbreviations for standard SIDs in XP and later. If you have to support Win2k you will have to use the numeric SIDs.

Fork me on GitHub