How do others install end user applications on Windows? One should, at least on Vista and later, deal with ACL rights.
Should I not install in the Program Files directory to avoid my apps asking the user for administrator access?
Do I need to sign the application, and how best to proceed with that?
_______________________________________________ vwnc mailing list [hidden email] http://lists.cs.uiuc.edu/mailman/listinfo/vwnc |
We use InstallShield Express, and just leave it up to that to “do
the right thing” for ACLs. I guess we’re going to have to look at signing our application
in any case (we put the image into the .exe). There are some (very sparse) details
on p15 of the 7.6 release notes. A little more can be found in previous
discussions: searching for signing in the archives: http://www.parcplace.net/lists/vwnc-archive http://www.parcplace.net/lists/vw-dev
(if you have access) Steve From:
[hidden email] [mailto:[hidden email]] On Behalf Of Rob
Vens How do others install end user applications on Windows? One
should, at least on Vista and later, deal with ACL rights. Should I not install in the Program Files directory to avoid
my apps asking the user for administrator access? Do I need to sign the application, and how best to proceed
with that? _______________________________________________ vwnc mailing list [hidden email] http://lists.cs.uiuc.edu/mailman/listinfo/vwnc |
I create the .msi installers using VisualStudio. (Note that I create a single exe using ResHacker so that would invalidate the Cincom signing of the vm.) That still does not deal with the annoying startup question from Vista or Windows 7 that you need to run as administrator, right? Or is there a way for me to configure that? I appreciate any pointers.
2010/3/19 Steven Kelly <[hidden email]>
_______________________________________________ vwnc mailing list [hidden email] http://lists.cs.uiuc.edu/mailman/listinfo/vwnc |
Rob,
Deployment on windows is a tricky proposition: first depending on the version of Windows the ACL may come to play. So installation which was working fine on Windows XP all of a sudden stops working on Vista/Win7. On Vista even if user is part of "Administrators" anything he starts is started as "User". Which also may be the case on XP if the computer is member of Corporate "Domain" and domain has very customized security policy. For example, I have seen an extreme cases where the user after logging onto the Domain would lose his access to the "C:\Program files", so they can not run any locally installed application. In another case installing something into the "My Documents" area also was thwarted by the domain - upon loging in, the "My document" was redirected to the shared network location and user lost his access to the local file system. With that in mind Here are few pointers: 1. If you application is installed into the "Program Files" directory as"YourAppFolder" and tries to write anything there, you have to make sure that "Users" as a group do have a read/Write access to the application folder. By default in Vista, anything in the "Program Files" folder has read only access to most of the users. one of the ways to overcome this is to change file/folder access permissions by using something like calcs.exe which is built in command.( or Xcacls.exe - part of the WinServer 2003 resource kit) 2. If your application is installing any device drivers it has to do it as "Administrator" otherwise the regular users may or may not have access to those drivers. 3. Digital signatures, while not required, are highly recommended in windows environment. To get one you have to buy the signature from Verisign or Thawte or.... 4. Using the "res hacker" to make single executable out of you image and visual.exe does invalidate the digital signature on visual.exe and also makes it un-singable in the process, due to some file header check sum. To overcame this first remove the signature from visual.exe , then insert your image and then sign it with yours sig. 5. Mind the windows EXE manifest. The manifest could be a standalone file or could be built into the EXE as a resource, with the "reshacker" or any other similar tools. In the manifest one can specify few parameters among which there are few interesting ones: here is the part, where you can specify how your app should be started. <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel> </requestedPrivileges> </security> you can specify administrator if it has to be. In my experience with the manifests, I found that some of the parameters , while valid, can make your application non start-able on XP while working on Vista. Also there is another way to suggest the application to be run "As Administrator" -- In the install script, People normally create a "ShortCut"; there you can specify few things one of them is "Run Program as adminitrator" found on the compatibility tab. Doing this simply adds some values into the Windows registry. I have few more stories about deployment on Windows, but a bit short on time, so if you have any specific question just ask... Hope this help --Mark Pirogovsky Rob Vens wrote: > I create the .msi installers using VisualStudio. (Note that I create a > single exe using ResHacker so that would invalidate the Cincom signing > of the vm.) That still does not deal with the annoying startup > question from Vista or Windows 7 that you need to run as > administrator, right? Or is there a way for me to configure that? I > appreciate any pointers. > > > 2010/3/19 Steven Kelly <[hidden email] <mailto:[hidden email]>> > > We use InstallShield Express, and just leave it up to that to “do > the right thing” for ACLs. > > I guess we’re going to have to look at signing our application in > any case (we put the image into the .exe). There are some (very > sparse) details on p15 of the 7.6 release notes. A little more can > be found in previous discussions: searching for signing in the > archives: > > http://www.parcplace.net/lists/vwnc-archive > > http://www.parcplace.net/lists/vw-dev (if you have access) > > Steve > > *From:* [hidden email] <mailto:[hidden email]> > [mailto:[hidden email] > <mailto:[hidden email]>] *On Behalf Of *Rob Vens > *Sent:* 19 March 2010 11:47 > *To:* VWNC > *Subject:* [vwnc] Installing end user applications on Windows and ACL > > How do others install end user applications on Windows? One > should, at least on Vista and later, deal with ACL rights. > > Should I not install in the Program Files directory to avoid my > apps asking the user for administrator access? > > Do I need to sign the application, and how best to proceed with that? > > > > _______________________________________________ > vwnc mailing list > [hidden email] > http://lists.cs.uiuc.edu/mailman/listinfo/vwnc > _______________________________________________ vwnc mailing list [hidden email] http://lists.cs.uiuc.edu/mailman/listinfo/vwnc |
In reply to this post by Rob Vens-2
I use the nullsoft NSIS intaller which can
handle that and is for free.
I enclosed my installation script as an example.
You will need to spent some time to understand its weird language, but the
winamp forums that go with it are quite helpfull.
@+Maarten,
_______________________________________________ vwnc mailing list [hidden email] http://lists.cs.uiuc.edu/mailman/listinfo/vwnc stakepointR_138_Setup.zip (6K) Download Attachment |
thanks for your example script Maarten. It is unclear however how the script deals with UAC. The following section is relevant in this respect I assume:
Section ClearErrors
UserInfo::GetName IfErrors Win9x Pop $0
UserInfo::GetAccountType Pop $1 # GetOriginalAccountType will check the tokens of the original user of the
# current thread/process. If the user tokens were elevated or limited for # this process, GetOriginalAccountType will return the non-restricted
# account type. # On Vista with UAC, for example, this is not the same value when running
# with `RequestExecutionLevel user`. GetOriginalAccountType will return # "admin" while GetAccountType will return "user".
UserInfo::GetOriginalAccountType Pop $2 StrCmp $1 "Admin" 0 +3
; MessageBox MB_OK 'User "$0" is in the Administrators group${REALMSG}'
Goto done StrCmp $1 "Power" 0 +3 ; MessageBox MB_OK 'User "$0" is in the Power Users group${REALMSG}'
Goto done StrCmp $1 "User" 0 +3 ; MessageBox MB_OK 'User "$0" is just a regular user${REALMSG}'
Goto done StrCmp $1 "Guest" 0 +3 ; MessageBox MB_OK 'User "$0" is a guest${REALMSG}'
; Goto done ; MessageBox MB_OK "Unknown error"
Goto done Win9x: # This one means you don't need to care about admin or
# not admin because Windows 9x doesn't either ; MessageBox MB_OK "Error! This DLL can't run under Windows 9x!"
done: SectionEnd However the only thing I can deduce from this is that it pops up a dialog telling the current access level. In what way does your script actually set the access rights for the application? Should that not involve a lot more like providing a hash of the executable, signing it with a certificate etc.?
What I would like to accomplish is a situation in which the user might be asked one time for elevated access rights, but after that no more. 2010/3/20 Maarten MOSTERT <[hidden email]>
_______________________________________________ vwnc mailing list [hidden email] http://lists.cs.uiuc.edu/mailman/listinfo/vwnc |
The only popup windows in this script that comes up
are related to the creation and the supression of the Acces ODBC connection it
installs. The others are not active as the stack is not redirected to
them.
For me it extraits the neccessary user rights from
elsewhere in the system, and then it makes windows believe it has these
rights.
You will need to learn this weird language for your
installation. If it still doen't work you can use my example. Personnaly
I never really understood anything from it.
This means that my things work, but I can't really help you. This is like
configuring Apache, you should just read and try the examples until it
works.
@+Maarten,
_______________________________________________ vwnc mailing list [hidden email] http://lists.cs.uiuc.edu/mailman/listinfo/vwnc |
Free forum by Nabble | Edit this page |