Marcus_newToNsis
15th November 2013 09:23 UTC

AccessControl Plugin - how give all authenticated users write access
Hi,

What is the right approach?

I used HM NIS Edit 2.0.3 with NSIS 2.4.6 and have built a well working .nsi file. Also, the resulting setup.exe works great.

However, there is a database file (database.db) which, after being installed by the setup.exe, only has read access. I had tried to set write access on the source file before compiling setup.exe, but this attribute gets "lost" after the copy process when installing.

My question is:
Where exactly in the .nsi file must I add:
AccessControl::GrantOnFile \"$INSTDIR\database.db" "(BU)" "GenericRead + GenericExecute + GenericWrite + Delete"

More questions:
does this work in vista, win 7 and win 8? I am trying to write the above directly into the .nsi.

Is it better, more compatible with different windows versions to use (S-1-5-11) for the authenticated Users pseudo-group?
If using S-1-5-11 is the better approach, must the command look this?:
AccessControl::GrantOnFile \"$INSTDIR\database.db" "(S-1-5-11)" "GenericRead + GenericExecute + GenericWrite + Delete"

Thanks for any feedback!

Anders
15th November 2013 15:06 UTC

Using the SID should work on any machine all the way back to NT4 but you are not really supposed to enable write access to files in $programfiles.

A) It is a security risk (The biggest issue is exe and dll files but a corrupted/manipulated data file could also cause issues)

B) Does not work with multiple users logged in (Remote desktop, switch user etc)

You really should store the database under $appdata...