/build/static/layout/Breadcrumb_cap_w.png

MsiLockPermissionsEx issue

I am having issues with MsiLockPermissionsEx table.
When locking permissions, no matter what ACL flag is (P, AI, AR or combinations) existing explicit permissions are replaced by new ones and no inheritance from parent container is preserved. For instance, the following SDDLText:

D:AI(A;OICI;FWFR;;;AU)

does explicitly set read and write permissions for my object, but other existing ACEs (for example for Administrators and Users) are lost, and permissions from parent folder are *not* inherited. This is weird, as the documentation from Microsfot clearly states, that MsiLockPermissionsEx table supports inheritance.

Is this a bug or am I missing something?

This behavior has been observed on different machines (Win 7 32bit/64bit) with different test packages. Databases have been successfully checked against ICE, no errors were shown in logs. Adjusting schema in summary information does not change anything. Databases have been created in Wise, and MsiLockPermissionsEx stuff was added via Orca from the newest SDK.

Parent folder permissions are normally propagated to children (running the same SDDL string via secedit does the job - permissions are inherited then). I tried locking objects in Program Files, its children or other test folders - still no success.

0 Comments   [ + ] Show comments

Answers (6)

Posted by: SandeepPanat 13 years ago
Orange Senior Belt
0
Wise doesn't support this table for sure. I assume you don't have LockPermissions table in your msi.
What conditions (and how many) have you specified in the Condition column?
Posted by: anonymous_9363 13 years ago
Red Belt
0
Forget the MSILockPermissionsEx and LockPermissions tables and use a third-party tool through a Custom Action. Not only do they almost all by default add to ACEs rather than replace them (although they can also replace), the syntax is much easier! LOL

If you have to stick with the table, one of the ACL tools, SubInACL, can display SDDL strings for objects so, you can set the permissions you want, then use SubInACL to show the required syntax.
Posted by: Marcin Otorowski 13 years ago
Yellow Belt
0
Thanks for your feedback.

@SandeepPanat
Obviously, Wise does not support it (and many other things). I just used it to produce standard test package.
I am not using LockPermissions at the same time, otherwise I would get ICE error.
I am also not specifying any conditions. SDDL is always applied, which is confirmed by analysis of logs. Like I said, the only issue is that it does not preserve inheritance - everything else works O.K.

@VBSCab
I am well aware of bunch of tools to deal with SDDL. I am not particularly forced to use any of them, but the advantage of MsiLockPermissionsEx is that it is standard action in MSI. Custom actions can be problematic in some scenarios and policies.
Moreover, using SubInAcl (and other similar tools) has one problematic drawback. If I want to deploy an object, which does not replace anything (e.g. it is a new folder with no explicit permissions) then subinacl will not help, as it can show the current SDDL of any *existing* object, otherwise it produces error.I used my own tool and secedit to generate SDDL syntax, so the problem is not in getting the correct SDDL itself, but rather applying my required set of rules with preservation of whatever custom rules have been set on target machine. During authoring process I don't know, what is the particular configuration of target machine, so I must plan carefully any actions, involving security rules.


So after all, there are three reasons I would like to use MsiLockPermissionsEx table:
1) it is standard built-in action
2) it is stated (by Microsoft) to support all necessary stuff
3) I am trying to develop my own tool and documentation of this feature. Commercial authoring tools are really poor if not worse, as far as support for MsiLockPermissionsEx is concerned.

But the fact, that all available documentation states it should work, while it is *not* working really drives me mad. Any other ideas are appreciated.
Posted by: kanthsri87 13 years ago
Senior Yellow Belt
0
Why cant u use the Security template ????To give permission
Posted by: Marcin Otorowski 13 years ago
Yellow Belt
0
I could. But if MsiLockPermissionsEx supported the same functionality (meaning *inheritance* according to documentation) CA would be pointless. Not only it requires custom rollback script, but also consumes time to create template, requires deploying security template to target machine etc.
Still, it's very annoying, that Windows Installer does not behave as required and stated by Microsoft - no scenario I performed (different machines, packages) worked with inheritance enabled.
Posted by: anonymous_9363 13 years ago
Red Belt
0
The other problem I have with the use of the permissions tables is that it wastes resources, in that permissions get applied to all the objects which the table entries point at.

My permissioning CA is positioned immediately after the package's CreateFolder action. It then permissions that and then relies on simple inheritance to permission files contained therein. For smaller installations, the difference is minimal but for the clunkers, waiting for permissions to be applied to 'x' hundred files can add a significant delay to a deployment.
Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.
 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ