Discussion:
[WiX-users] Permissions for Groups
roxana
2006-09-08 12:15:09 UTC
Permalink
Hello list,

I was just wondering if it is possible to modify permissions for groups,
such as Users.

Actually, I need to get rid of the Users group for one of my folders and
to set a ACL for just one specific user and administrators.It seems that
LOCAL_MACHINE _NAME\Users is there by default. Trying to configure a
Permission for this group gives me un MSI error:

"An error occured while applying security settings. Sony_Portable\Users
is not a valid user or group. This could be a problem with the package,
or a problem connecting to a domain controller on the network. Check
your network connection and click Retry, or Cancel to end the install."

While using the Extended = yes and Domain = LOCAL_MACHINE_NAME
attributes, I get another strange message in logs:

"ExecSecureObjects: Error 0x80070534: *failed* *to* *get* *sid* *for*
*account*: Sony_Portable\Users
Action ended 9:17:19: InstallFinalize. Return value 3.
..."

So...it is TRUE that Sony_Portable\Users is not an user account like the
log indicates, but it must be a way to touch groups' permissions!

I am running out of ideas...I will much appreciate any help. Thanks a lot!

Roxana
roxana
2006-09-08 13:47:17 UTC
Permalink
The following works for me. You might want to try some variation of
these in your install.
<Permission User='Everyone' GenericAll='yes' /> (this uses the
lockpermissions table)
<Permission User="ASPNET" Domain="[ComputerName]" GenericAll="yes"
Extended="yes"/>
<Permission User="IIS_WPG" Domain="[ComputerName]" GenericAll="yes"
Extended="yes"/> (IIS_WPG is a group)
How are you formatting your permission element?
Dana
Hello list,
I was just wondering if it is possible to modify permissions for groups,
such as Users.
Actually, I need to get rid of the Users group for one of my folders and
to set a ACL for just one specific user and administrators.It seems that
LOCAL_MACHINE _NAME\Users is there by default. Trying to configure a
"An error occured while applying security settings.
Sony_Portable\Users
is not a valid user or group. This could be a problem with the package,
or a problem connecting to a domain controller on the network. Check
your network connection and click Retry, or Cancel to end the install."
While using the Extended = yes and Domain = LOCAL_MACHINE_NAME
"ExecSecureObjects: Error 0x80070534: *failed* *to* *get* *sid* *for*
*account*: Sony_Portable\Users
Action ended 9:17:19: InstallFinalize. Return value 3.
..."
So...it is TRUE that Sony_Portable\Users is not an user account like the
log indicates, but it must be a way to touch groups' permissions!
I am running out of ideas...I will much appreciate any help. Thanks a lot!
Roxana
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services,
security?
Get stuff done quickly with pre-integrated technology to make your
job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache
Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
<http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642>
_______________________________________________
WiX-users mailing list
https://lists.sourceforge.net/lists/listinfo/wix-users
Thanks for the reply Dana,

Actually, I'd like to eliminate (delete) the Users group for this folder
so as the restrictions be tough enought for just one user account. If
that's not possible, at least have no permission at all for
Users...Something like:

<Permission User="Users" Domain="[ComputerName]" GenericAll="no"
Extended="yes"/>

but this gives me the same error message (failed to get sid for
account...) and I suppose it will DENY ALL for Users... which is not so
desirable! I think Administrator account is a member on this group...

Best regards,
Roxana
Dana Gutride
2006-09-08 14:05:25 UTC
Permalink
What happens if you just try to set the permission for the user that you
want to use: <Permission User='Everyone' GenericAll='yes' />. Doing this
results in the folder created having only Everyone and System with
permissions on the folder. Users does not show up in the ACL list.

There are additional properties you can set in the extended permission
element, so you might be able to specify that you don't want this permission
appended to any existing permissions. The documentation states: "By using
the SecureObject custom action you can apply permissions for many more well
known user SIDs as well as for user accounts that are created as part of the
install." Is the user you need to give access to created during your
install or does it have a well known sid so you can use the lock permissions
table in the MSI?

Dana
The following works for me. You might want to try some variation of
these in your install.
<Permission User='Everyone' GenericAll='yes' /> (this uses the
lockpermissions table)
<Permission User="ASPNET" Domain="[ComputerName]" GenericAll="yes"
Extended="yes"/>
<Permission User="IIS_WPG" Domain="[ComputerName]" GenericAll="yes"
Extended="yes"/> (IIS_WPG is a group)
How are you formatting your permission element?
Dana
Hello list,
I was just wondering if it is possible to modify permissions for groups,
such as Users.
Actually, I need to get rid of the Users group for one of my folders and
to set a ACL for just one specific user and administrators.It seems that
LOCAL_MACHINE _NAME\Users is there by default. Trying to configure a
"An error occured while applying security settings.
Sony_Portable\Users
is not a valid user or group. This could be a problem with the package,
or a problem connecting to a domain controller on the network. Check
your network connection and click Retry, or Cancel to end the install."
While using the Extended = yes and Domain = LOCAL_MACHINE_NAME
"ExecSecureObjects: Error 0x80070534: *failed* *to* *get* *sid*
*for*
*account*: Sony_Portable\Users
Action ended 9:17:19: InstallFinalize. Return value 3.
..."
So...it is TRUE that Sony_Portable\Users is not an user account like the
log indicates, but it must be a way to touch groups' permissions!
I am running out of ideas...I will much appreciate any help. Thanks a lot!
Roxana
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services,
security?
Get stuff done quickly with pre-integrated technology to make your
job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache
Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
<
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642>
_______________________________________________
WiX-users mailing list
https://lists.sourceforge.net/lists/listinfo/wix-users
Thanks for the reply Dana,
Actually, I'd like to eliminate (delete) the Users group for this folder
so as the restrictions be tough enought for just one user account. If
that's not possible, at least have no permission at all for
<Permission User="Users" Domain="[ComputerName]" GenericAll="no"
Extended="yes"/>
but this gives me the same error message (failed to get sid for
account...) and I suppose it will DENY ALL for Users... which is not so
desirable! I think Administrator account is a member on this group...
Best regards,
Roxana
roxana
2006-09-08 14:46:24 UTC
Permalink
Post by Dana Gutride
What happens if you just try to set the permission for the user that
you want to use: <Permission User='Everyone' GenericAll='yes' />.
Doing this results in the folder created having only Everyone and
System with permissions on the folder. Users does not show up in the
ACL list.
There are additional properties you can set in the extended permission
element, so you might be able to specify that you don't want this
permission appended to any existing permissions. The documentation
states: "By using the SecureObject custom action you can apply
permissions for many more well known user SIDs as well as for user
accounts that are created as part of the install." Is the user you
need to give access to created during your install or does it have a
well known sid so you can use the lock permissions table in the MSI?
Dana
The following works for me. You might want to try some variation of
these in your install.
<Permission User='Everyone' GenericAll='yes' /> (this uses the
lockpermissions table)
<Permission User="ASPNET" Domain="[ComputerName]" GenericAll="yes"
Extended="yes"/>
<Permission User="IIS_WPG" Domain="[ComputerName]" GenericAll="yes"
Extended="yes"/> (IIS_WPG is a group)
How are you formatting your permission element?
Dana
Hello list,
I was just wondering if it is possible to modify permissions
for
groups,
such as Users.
Actually, I need to get rid of the Users group for one of my
folders and
to set a ACL for just one specific user and administrators.It
seems that
LOCAL_MACHINE _NAME\Users is there by default. Trying to
configure a
"An error occured while applying security settings.
Sony_Portable\Users
is not a valid user or group. This could be a problem with the package,
or a problem connecting to a domain controller on the
network. Check
your network connection and click Retry, or Cancel to end the install."
While using the Extended = yes and Domain = LOCAL_MACHINE_NAME
"ExecSecureObjects: Error 0x80070534: *failed* *to* *get*
*sid* *for*
*account*: Sony_Portable\Users
Action ended 9:17:19: InstallFinalize. Return value 3.
..."
So...it is TRUE that Sony_Portable\Users is not an user account
like the
log indicates, but it must be a way to touch groups'
permissions!
I am running out of ideas...I will much appreciate any help.
Thanks a lot!
Roxana
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services,
security?
Get stuff done quickly with pre-integrated technology to
make your
job easier
Download IBM WebSphere Application Server v.1.0.1 based on
Apache
Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
<http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642>
<http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
<http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642>>
_______________________________________________
WiX-users mailing list
https://lists.sourceforge.net/lists/listinfo/wix-users
Thanks for the reply Dana,
Actually, I'd like to eliminate (delete) the Users group for this folder
so as the restrictions be tough enought for just one user account. If
that's not possible, at least have no permission at all for
<Permission User="Users" Domain="[ComputerName]" GenericAll="no"
Extended="yes"/>
but this gives me the same error message (failed to get sid for
account...) and I suppose it will DENY ALL for Users... which is not so
desirable! I think Administrator account is a member on this group...
Best regards,
Roxana
------------------------------------------------------------------------
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
------------------------------------------------------------------------
_______________________________________________
WiX-users mailing list
https://lists.sourceforge.net/lists/listinfo/wix-users
1. You were right about the Everyone group, but granting ALL for this
group is even worst than letting Users into the ACL.

2. The user account we are talking about is created by the installer. I
even managed to set its ACL like the following code shows:

<Component ....
<CreateFolder ...
<Permission User="XXX" Extended="yes" Domain="[MachineName]"
GenericRead="yes" Read="yes" />
</CreateFolder>
</Component>

This works very well so far. If I add another permission element, for
instance:

<Permission User="Users" Extended="yes" Domain="[MachineName]"
GenericAll="yes" />

the installer gives me the well known error. I don't understand why MSI
doesn't consider the Users group as a well known sid, for this seems to
be the problem...

Thanks again :-)






3.
Dana Gutride
2006-09-08 15:32:46 UTC
Permalink
Ok, I just threw together a quick MSI to see if I could get something like
what I think you are describing working. Try the following, replacing the
user hello with the user you created. This doesn't add any others Users to
the folder and you can add them one at a time if you need to.

<CreateFolder >
<Permission User='System' GenericAll='yes' Extended='no'/>
<Permission User='Hello' GenericAll='yes' Extended='yes'
Domain='[ComputerName]' />
</CreateFolder>


<User Id='Hello' Name='Hello' CreateUser='yes'
Domain='[ComputerName]' >
<GroupRef Id='Users'/>
</User>

Dana
Post by Dana Gutride
What happens if you just try to set the permission for the user that
you want to use: <Permission User='Everyone' GenericAll='yes' />.
Doing this results in the folder created having only Everyone and
System with permissions on the folder. Users does not show up in the
ACL list.
There are additional properties you can set in the extended permission
element, so you might be able to specify that you don't want this
permission appended to any existing permissions. The documentation
states: "By using the SecureObject custom action you can apply
permissions for many more well known user SIDs as well as for user
accounts that are created as part of the install." Is the user you
need to give access to created during your install or does it have a
well known sid so you can use the lock permissions table in the MSI?
Dana
The following works for me. You might want to try some variation
of
Post by Dana Gutride
these in your install.
<Permission User='Everyone' GenericAll='yes' /> (this uses the
lockpermissions table)
<Permission User="ASPNET" Domain="[ComputerName]" GenericAll="yes"
Extended="yes"/>
<Permission User="IIS_WPG" Domain="[ComputerName]"
GenericAll="yes"
Post by Dana Gutride
Extended="yes"/> (IIS_WPG is a group)
How are you formatting your permission element?
Dana
Hello list,
I was just wondering if it is possible to modify permissions
for
groups,
such as Users.
Actually, I need to get rid of the Users group for one of my
folders and
to set a ACL for just one specific user and administrators.It
seems that
LOCAL_MACHINE _NAME\Users is there by default. Trying to
configure a
"An error occured while applying security settings.
Sony_Portable\Users
is not a valid user or group. This could be a problem with the
package,
or a problem connecting to a domain controller on the
network. Check
your network connection and click Retry, or Cancel to end the
install."
While using the Extended = yes and Domain = LOCAL_MACHINE_NAME
"ExecSecureObjects: Error 0x80070534: *failed* *to* *get*
*sid* *for*
*account*: Sony_Portable\Users
Action ended 9:17:19: InstallFinalize. Return value 3.
..."
So...it is TRUE that Sony_Portable\Users is not an user
account
Post by Dana Gutride
like the
log indicates, but it must be a way to touch groups'
permissions!
I am running out of ideas...I will much appreciate any help.
Thanks a lot!
Roxana
-------------------------------------------------------------------------
Post by Dana Gutride
Using Tomcat but need to do more? Need to support web
services,
Post by Dana Gutride
security?
Get stuff done quickly with pre-integrated technology to
make your
job easier
Download IBM WebSphere Application Server v.1.0.1 based on
Apache
Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
<
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642>
Post by Dana Gutride
<
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Post by Dana Gutride
<http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
WiX-users mailing list
https://lists.sourceforge.net/lists/listinfo/wix-users
Thanks for the reply Dana,
Actually, I'd like to eliminate (delete) the Users group for this folder
so as the restrictions be tough enought for just one user account.
If
Post by Dana Gutride
that's not possible, at least have no permission at all for
<Permission User="Users" Domain="[ComputerName]" GenericAll="no"
Extended="yes"/>
but this gives me the same error message (failed to get sid for
account...) and I suppose it will DENY ALL for Users... which is not so
desirable! I think Administrator account is a member on this
group...
Post by Dana Gutride
Best regards,
Roxana
------------------------------------------------------------------------
-------------------------------------------------------------------------
Post by Dana Gutride
Using Tomcat but need to do more? Need to support web services,
security?
Post by Dana Gutride
Get stuff done quickly with pre-integrated technology to make your job
easier
Post by Dana Gutride
Download IBM WebSphere Application Server v.1.0.1 based on Apache
Geronimo
Post by Dana Gutride
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
------------------------------------------------------------------------
_______________________________________________
WiX-users mailing list
https://lists.sourceforge.net/lists/listinfo/wix-users
1. You were right about the Everyone group, but granting ALL for this
group is even worst than letting Users into the ACL.
2. The user account we are talking about is created by the installer. I
<Component ....
<CreateFolder ...
<Permission User="XXX" Extended="yes" Domain="[MachineName]"
GenericRead="yes" Read="yes" />
</CreateFolder>
</Component>
This works very well so far. If I add another permission element, for
<Permission User="Users" Extended="yes" Domain="[MachineName]"
GenericAll="yes" />
the installer gives me the well known error. I don't understand why MSI
doesn't consider the Users group as a well known sid, for this seems to
be the problem...
Thanks again :-)
3.
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
WiX-users mailing list
https://lists.sourceforge.net/lists/listinfo/wix-users
Some user
2006-09-15 11:42:52 UTC
Permalink
Post by roxana
the installer gives me the well known error. I don't understand why MSI
doesn't consider the Users group as a well known sid, for this seems to
be the problem...
AFAIK Windows Installer only knows the SID for the Administrator and
Everyone. If you want to use other SIDs you have to use a CA to retrieve
them.

http://www.installsite.org/pages/en/msi/tips.htm#SIDLookup
--
View this message in context: http://www.nabble.com/Permissions-for-Groups-tf2238717.html#a6323548
Sent from the wix-users forum at Nabble.com.
Rob Mensching
2006-09-16 09:48:00 UTC
Permalink
Or use the Extended="yes" attribute on the Permission element to use the WiX
CustomAction. That is a bit more flexible than the built-in LockPermission
table.


-----Original Message-----
From: wix-users-***@lists.sourceforge.net
[mailto:wix-users-***@lists.sourceforge.net] On Behalf Of Some user
Sent: Friday, September 15, 2006 04:43
To: wix-***@lists.sourceforge.net
Subject: Re: [WiX-users] Permissions for Groups
Post by roxana
the installer gives me the well known error. I don't understand why
MSI doesn't consider the Users group as a well known sid, for this
seems to be the problem...
AFAIK Windows Installer only knows the SID for the Administrator and
Everyone. If you want to use other SIDs you have to use a CA to retrieve
them.

http://www.installsite.org/pages/en/msi/tips.htm#SIDLookup


--
View this message in context:
http://www.nabble.com/Permissions-for-Groups-tf2238717.html#a6323548
Sent from the wix-users forum at Nabble.com.


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job
easier Download IBM WebSphere Application Server v.1.0.1 based on Apache
Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Continue reading on narkive:
Loading...