Installing end user applications on Windows and ACL

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Installing end user applications on Windows and ACL

Rob Vens-2
How do others install end user applications on Windows? One should, at least on Vista and later, deal with ACL rights.
Should I not install in the Program Files directory to avoid my apps asking the user for administrator access?
Do I need to sign the application, and how best to proceed with that?

_______________________________________________
vwnc mailing list
[hidden email]
http://lists.cs.uiuc.edu/mailman/listinfo/vwnc
Reply | Threaded
Open this post in threaded view
|

Re: Installing end user applications on Windows and ACL

Steven Kelly

We use InstallShield Express, and just leave it up to that to “do the right thing” for ACLs.

 

I guess we’re going to have to look at signing our application in any case (we put the image into the .exe). There are some (very sparse) details on p15 of the 7.6 release notes. A little more can be found in previous discussions: searching for signing in the archives:

http://www.parcplace.net/lists/vwnc-archive

http://www.parcplace.net/lists/vw-dev (if you have access)

 

Steve

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Rob Vens
Sent: 19 March 2010 11:47
To: VWNC
Subject: [vwnc] Installing end user applications on Windows and ACL

 

How do others install end user applications on Windows? One should, at least on Vista and later, deal with ACL rights.

Should I not install in the Program Files directory to avoid my apps asking the user for administrator access?

Do I need to sign the application, and how best to proceed with that?


_______________________________________________
vwnc mailing list
[hidden email]
http://lists.cs.uiuc.edu/mailman/listinfo/vwnc
Reply | Threaded
Open this post in threaded view
|

Re: Installing end user applications on Windows and ACL

Rob Vens-2
I create the .msi installers using VisualStudio. (Note that I create a single exe using ResHacker so that would invalidate the Cincom signing of the vm.) That still does not deal with the annoying startup question from Vista or Windows 7 that you need to run as administrator, right? Or is there a way for me to configure that? I appreciate any pointers.


2010/3/19 Steven Kelly <[hidden email]>

We use InstallShield Express, and just leave it up to that to “do the right thing” for ACLs.

 

I guess we’re going to have to look at signing our application in any case (we put the image into the .exe). There are some (very sparse) details on p15 of the 7.6 release notes. A little more can be found in previous discussions: searching for signing in the archives:

http://www.parcplace.net/lists/vwnc-archive

http://www.parcplace.net/lists/vw-dev (if you have access)

 

Steve

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Rob Vens
Sent: 19 March 2010 11:47
To: VWNC
Subject: [vwnc] Installing end user applications on Windows and ACL

 

How do others install end user applications on Windows? One should, at least on Vista and later, deal with ACL rights.

Should I not install in the Program Files directory to avoid my apps asking the user for administrator access?

Do I need to sign the application, and how best to proceed with that?



_______________________________________________
vwnc mailing list
[hidden email]
http://lists.cs.uiuc.edu/mailman/listinfo/vwnc
Reply | Threaded
Open this post in threaded view
|

Re: Installing end user applications on Windows and ACL

Mark Pirogovsky-3
Rob,

Deployment on windows is a tricky proposition:

first depending on the version of Windows the ACL may come to play.  So
installation which was working fine on Windows XP all of a sudden stops
working on Vista/Win7.

On Vista even if user is part of "Administrators" anything he starts is
started as "User".   Which also may be the case on XP  if the computer
is member of Corporate "Domain" and domain has very customized security
policy.

For example,  I have seen an extreme  cases where the user after logging
onto the Domain would lose his access to the "C:\Program files", so they
can not run any locally installed application.

In another case installing something into the "My Documents" area also
was thwarted by the domain - upon loging in, the "My document" was
redirected to the shared network location and user lost his access to
the local file system.



With that in mind

Here are few pointers:

1.  If you application is installed into the "Program Files" directory
as"YourAppFolder"  and tries to write anything there, you have to make
sure that "Users" as a group do have a read/Write access to the
application folder.  By default in Vista,  anything in the "Program
Files" folder has  read only access to most of the users.  one of the
ways to overcome this is to change file/folder access permissions by
using something like calcs.exe  which is built in command.( or
Xcacls.exe - part of the WinServer 2003 resource kit)

2.  If your application is installing any device drivers it has to do it
as "Administrator" otherwise the regular users may or may not have
access to those drivers.
3.  Digital signatures, while not required, are highly recommended in
windows environment.  To get one you have to buy the signature from
Verisign or Thawte or....

4.  Using the "res hacker" to make single executable out of you image
and visual.exe does invalidate the digital signature on visual.exe and
also makes it un-singable in the process, due to some file header check
sum.  To overcame this first remove the signature from visual.exe , then
insert your image and then sign it with yours sig.

5. Mind the windows EXE manifest. The manifest could be a standalone
file or could be built into the EXE as a resource, with the "reshacker"
or any other similar tools.
In the manifest one can specify few parameters among which there are few
interesting ones:
here is the part, where you can specify how your app should be started.

<requestedPrivileges>
<requestedExecutionLevel level="asInvoker"
uiAccess="false"></requestedExecutionLevel>
</requestedPrivileges>
</security>

you can specify administrator if it has to be.

In my experience with the manifests, I found that some of the parameters
, while valid,  can make your application non start-able on XP while
working on Vista.

Also there is another way to suggest the application to be run "As
Administrator"  -- In the install script, People normally create a
"ShortCut"; there you can specify few things one of them is "Run Program
as adminitrator" found on the compatibility tab. Doing this simply adds
some values into the Windows registry.


I have few more stories about deployment on Windows, but a bit short on
time, so if you have any specific question just ask...

Hope this help

--Mark Pirogovsky

Rob Vens wrote:

> I create the .msi installers using VisualStudio. (Note that I create a
> single exe using ResHacker so that would invalidate the Cincom signing
> of the vm.) That still does not deal with the annoying startup
> question from Vista or Windows 7 that you need to run as
> administrator, right? Or is there a way for me to configure that? I
> appreciate any pointers.
>
>
> 2010/3/19 Steven Kelly <[hidden email] <mailto:[hidden email]>>
>
>     We use InstallShield Express, and just leave it up to that to “do
>     the right thing” for ACLs.
>
>     I guess we’re going to have to look at signing our application in
>     any case (we put the image into the .exe). There are some (very
>     sparse) details on p15 of the 7.6 release notes. A little more can
>     be found in previous discussions: searching for signing in the
>     archives:
>
>     http://www.parcplace.net/lists/vwnc-archive
>
>     http://www.parcplace.net/lists/vw-dev (if you have access)
>
>     Steve
>
>     *From:* [hidden email] <mailto:[hidden email]>
>     [mailto:[hidden email]
>     <mailto:[hidden email]>] *On Behalf Of *Rob Vens
>     *Sent:* 19 March 2010 11:47
>     *To:* VWNC
>     *Subject:* [vwnc] Installing end user applications on Windows and ACL
>
>     How do others install end user applications on Windows? One
>     should, at least on Vista and later, deal with ACL rights.
>
>     Should I not install in the Program Files directory to avoid my
>     apps asking the user for administrator access?
>
>     Do I need to sign the application, and how best to proceed with that?
>
>
>
> _______________________________________________
> vwnc mailing list
> [hidden email]
> http://lists.cs.uiuc.edu/mailman/listinfo/vwnc
>    

_______________________________________________
vwnc mailing list
[hidden email]
http://lists.cs.uiuc.edu/mailman/listinfo/vwnc
Reply | Threaded
Open this post in threaded view
|

Re: Installing end user applications on Windows and ACL

Maarten Mostert-2
In reply to this post by Rob Vens-2

I use the nullsoft NSIS intaller which can handle that and is for free.
 
I enclosed my installation script as an example. You will need to spent some time to understand its weird language, but the winamp forums that go with it are quite helpfull.
 
@+Maarten,
----- Original Message -----
Sent: Friday, March 19, 2010 2:22 PM
Subject: Re: [vwnc] Installing end user applications on Windows and ACL

I create the .msi installers using VisualStudio. (Note that I create a single exe using ResHacker so that would invalidate the Cincom signing of the vm.) That still does not deal with the annoying startup question from Vista or Windows 7 that you need to run as administrator, right? Or is there a way for me to configure that? I appreciate any pointers.


2010/3/19 Steven Kelly <[hidden email]>

We use InstallShield Express, and just leave it up to that to “do the right thing” for ACLs.

 

I guess we’re going to have to look at signing our application in any case (we put the image into the .exe). There are some (very sparse) details on p15 of the 7.6 release notes. A little more can be found in previous discussions: searching for signing in the archives:

http://www.parcplace.net/lists/vwnc-archive

http://www.parcplace.net/lists/vw-dev (if you have access)

 

Steve

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Rob Vens
Sent: 19 March 2010 11:47
To: VWNC
Subject: [vwnc] Installing end user applications on Windows and ACL

 

How do others install end user applications on Windows? One should, at least on Vista and later, deal with ACL rights.

Should I not install in the Program Files directory to avoid my apps asking the user for administrator access?

Do I need to sign the application, and how best to proceed with that?



_______________________________________________
vwnc mailing list
[hidden email]
http://lists.cs.uiuc.edu/mailman/listinfo/vwnc

_______________________________________________
vwnc mailing list
[hidden email]
http://lists.cs.uiuc.edu/mailman/listinfo/vwnc

stakepointR_138_Setup.zip (6K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Installing end user applications on Windows and ACL

Rob Vens-2
thanks for your example script Maarten. It is unclear however how the script deals with UAC. The following section is relevant in this respect I assume:

Section
ClearErrors
UserInfo::GetName
IfErrors Win9x
Pop $0
UserInfo::GetAccountType
Pop $1
# GetOriginalAccountType will check the tokens of the original user of the
# current thread/process. If the user tokens were elevated or limited for
# this process, GetOriginalAccountType will return the non-restricted
# account type.
# On Vista with UAC, for example, this is not the same value when running
# with `RequestExecutionLevel user`. GetOriginalAccountType will return
# "admin" while GetAccountType will return "user".
UserInfo::GetOriginalAccountType
Pop $2
StrCmp $1 "Admin" 0 +3
; MessageBox MB_OK 'User "$0" is in the Administrators group${REALMSG}'
Goto done
StrCmp $1 "Power" 0 +3
; MessageBox MB_OK 'User "$0" is in the Power Users group${REALMSG}'
Goto done
StrCmp $1 "User" 0 +3
; MessageBox MB_OK 'User "$0" is just a regular user${REALMSG}'
Goto done
StrCmp $1 "Guest" 0 +3
; MessageBox MB_OK 'User "$0" is a guest${REALMSG}'
; Goto done
; MessageBox MB_OK "Unknown error"
Goto done

Win9x:
# This one means you don't need to care about admin or
# not admin because Windows 9x doesn't either
; MessageBox MB_OK "Error! This DLL can't run under Windows 9x!"

done:
SectionEnd

However the only thing I can deduce from this is that it pops up a dialog telling the current access level. In what way does your script actually set the access rights for the application? Should that not involve a lot more like providing a hash of the executable, signing it with a certificate etc.?
What I would like to accomplish is a situation in which the user might be asked one time for elevated access rights, but after that no more.

2010/3/20 Maarten MOSTERT <[hidden email]>
I use the nullsoft NSIS intaller which can handle that and is for free.
 
I enclosed my installation script as an example. You will need to spent some time to understand its weird language, but the winamp forums that go with it are quite helpfull.
 
@+Maarten,
----- Original Message -----
Sent: Friday, March 19, 2010 2:22 PM
Subject: Re: [vwnc] Installing end user applications on Windows and ACL

I create the .msi installers using VisualStudio. (Note that I create a single exe using ResHacker so that would invalidate the Cincom signing of the vm.) That still does not deal with the annoying startup question from Vista or Windows 7 that you need to run as administrator, right? Or is there a way for me to configure that? I appreciate any pointers.


2010/3/19 Steven Kelly <[hidden email]>

We use InstallShield Express, and just leave it up to that to “do the right thing” for ACLs.

 

I guess we’re going to have to look at signing our application in any case (we put the image into the .exe). There are some (very sparse) details on p15 of the 7.6 release notes. A little more can be found in previous discussions: searching for signing in the archives:

http://www.parcplace.net/lists/vwnc-archive

http://www.parcplace.net/lists/vw-dev (if you have access)

 

Steve

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Rob Vens
Sent: 19 March 2010 11:47
To: VWNC
Subject: [vwnc] Installing end user applications on Windows and ACL

 

How do others install end user applications on Windows? One should, at least on Vista and later, deal with ACL rights.

Should I not install in the Program Files directory to avoid my apps asking the user for administrator access?

Do I need to sign the application, and how best to proceed with that?



_______________________________________________
vwnc mailing list
[hidden email]
http://lists.cs.uiuc.edu/mailman/listinfo/vwnc



_______________________________________________
vwnc mailing list
[hidden email]
http://lists.cs.uiuc.edu/mailman/listinfo/vwnc
Reply | Threaded
Open this post in threaded view
|

Re: Installing end user applications on Windows and ACL

Maarten Mostert-2

The only popup windows in this script that comes up are related to the creation and the supression of the Acces ODBC connection it installs. The others are not active as the stack is not redirected to them.
For me it extraits the neccessary user rights from elsewhere in the system, and then it makes windows believe it has these rights.
You will need to learn this weird language for your installation. If it still doen't work you can use my example. Personnaly I never really understood anything from it. This means that my things work, but I can't really help you. This is like configuring Apache, you should just read and try the examples until it works.
 
@+Maarten,
----- Original Message -----
Sent: Saturday, March 20, 2010 11:08 AM
Subject: Re: [vwnc] Installing end user applications on Windows and ACL

thanks for your example script Maarten. It is unclear however how the script deals with UAC. The following section is relevant in this respect I assume:

Section
ClearErrors
UserInfo::GetName
IfErrors Win9x
Pop $0
UserInfo::GetAccountType
Pop $1
# GetOriginalAccountType will check the tokens of the original user of the
# current thread/process. If the user tokens were elevated or limited for
# this process, GetOriginalAccountType will return the non-restricted
# account type.
# On Vista with UAC, for example, this is not the same value when running
# with `RequestExecutionLevel user`. GetOriginalAccountType will return
# "admin" while GetAccountType will return "user".
UserInfo::GetOriginalAccountType
Pop $2
StrCmp $1 "Admin" 0 +3
; MessageBox MB_OK 'User "$0" is in the Administrators group${REALMSG}'
Goto done
StrCmp $1 "Power" 0 +3
; MessageBox MB_OK 'User "$0" is in the Power Users group${REALMSG}'
Goto done
StrCmp $1 "User" 0 +3
; MessageBox MB_OK 'User "$0" is just a regular user${REALMSG}'
Goto done
StrCmp $1 "Guest" 0 +3
; MessageBox MB_OK 'User "$0" is a guest${REALMSG}'
; Goto done
; MessageBox MB_OK "Unknown error"
Goto done

Win9x:
# This one means you don't need to care about admin or
# not admin because Windows 9x doesn't either
; MessageBox MB_OK "Error! This DLL can't run under Windows 9x!"

done:
SectionEnd

However the only thing I can deduce from this is that it pops up a dialog telling the current access level. In what way does your script actually set the access rights for the application? Should that not involve a lot more like providing a hash of the executable, signing it with a certificate etc.?
What I would like to accomplish is a situation in which the user might be asked one time for elevated access rights, but after that no more.

2010/3/20 Maarten MOSTERT <[hidden email]>
I use the nullsoft NSIS intaller which can handle that and is for free.
 
I enclosed my installation script as an example. You will need to spent some time to understand its weird language, but the winamp forums that go with it are quite helpfull.
 
@+Maarten,
----- Original Message -----
Sent: Friday, March 19, 2010 2:22 PM
Subject: Re: [vwnc] Installing end user applications on Windows and ACL

I create the .msi installers using VisualStudio. (Note that I create a single exe using ResHacker so that would invalidate the Cincom signing of the vm.) That still does not deal with the annoying startup question from Vista or Windows 7 that you need to run as administrator, right? Or is there a way for me to configure that? I appreciate any pointers.


2010/3/19 Steven Kelly <[hidden email]>

We use InstallShield Express, and just leave it up to that to “do the right thing” for ACLs.

 

I guess we’re going to have to look at signing our application in any case (we put the image into the .exe). There are some (very sparse) details on p15 of the 7.6 release notes. A little more can be found in previous discussions: searching for signing in the archives:

http://www.parcplace.net/lists/vwnc-archive

http://www.parcplace.net/lists/vw-dev (if you have access)

 

Steve

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Rob Vens
Sent: 19 March 2010 11:47
To: VWNC
Subject: [vwnc] Installing end user applications on Windows and ACL

 

How do others install end user applications on Windows? One should, at least on Vista and later, deal with ACL rights.

Should I not install in the Program Files directory to avoid my apps asking the user for administrator access?

Do I need to sign the application, and how best to proceed with that?



_______________________________________________
vwnc mailing list
[hidden email]
http://lists.cs.uiuc.edu/mailman/listinfo/vwnc



_______________________________________________
vwnc mailing list
[hidden email]
http://lists.cs.uiuc.edu/mailman/listinfo/vwnc