如何使用wix安装程序拒绝用户的文件夹权限 [英] How to deny folder permission to Users with wix installer

问题描述

我的目标是将应用程序安装到文件夹:

My goal is to install my application to a folder:

• SYSTEM可以读写
• 管理员可读写
• 没有其他任何人的权限.

我尝试了wix Permission和PermissionEx元素的各种组合和排列.

I've tried various combinations and arrangements of the wix Permission and PermissionEx elements.

我最近的尝试是这样:

<CreateFolder>
  <util:PermissionEx User="Users" GenericRead="no" Read="no"/>
  <util:PermissionEx User="Everyone" GenericRead="no" Read="no"/>
  <util:PermissionEx User="Administrators" GenericAll="yes"/>
</CreateFolder>

在Component元素内.

我的结果始终相同:用户仍​​然显示 Read ， Read and Execute 和 Listfolder内容的权限 em>在已安装的文件夹中.

My results are always the same: Users still show permission for Read, Read and Execute, and Listfolder contents on the installed folder.

我的目标与>限制访问文件夹非常相似使用wix安装程序安装

我还考虑了 WIX:授予文件夹权限， Wix:如何设置文件夹和所有文件的权限子文件夹.

推荐答案

我只是想知道您的总体目标是什么(可能有多种选择):

I am just wondering what your overall goal is (several options could apply):

• 目标是阻止常规用户运行该应用程序吗? (如果是这样，您可以设置运行所需的海拔高度-不太好，但应该可以运行.普通用户在应用启动时会要求输入管理员密码.如果没有，则无法运行应用程序-据我所知-除非他们使用其提升的管理员帐户没有密码！).
• 目标是阻止常规用户列出有问题的实际文件夹的内容吗?替换ACL(禁用继承的权限)并仅添加要访问该文件夹的一个或多个用户的访问权限即可.无需拒绝普通用户的权限或特定权限.换句话说，只需替换现有的ACL并为管理员添加通用写入权限，为SYSTEM添加完整权限?

• Is the goal to prevent regular users from running the application? (if so, you could make elevation required for running - not great, but should work. Regular users would be asked for admin password on application launch. If they don't have it, they can't run the application - as far as I know - unless the admin account they elevate with has no password!).
• Is the goal to prevent regular users from being able to list the content of the actual folder in question? Replacing the ACL (disable inherited rights) and only adding access for the user / users / groups you want to be able to access the folder should do the trick. No deny rights or specific rights for regular users needed. In other words just replace the existing ACL and add generic write for Administrators and full rights for SYSTEM?

我确信您会敏锐地意识到，修改ACL可能会产生许多副作用，尤其是拒绝权利(自我修复期间会发生什么?).我现在没有时间测试特定的ACL，但是明天我将再次检查您是否仍然需要它.我认为要求管理员权限"选项可能对您有用?

As I am sure you are acutely aware of, modifying ACLs can have many side effects, especially deny rights (what happens during self-repair?). I don't have time to test specific ACLs right now, but I will check again tomorrow if you still need it. I think the require admin rights option might work for you?

只想添加一种快速方法来测试我发现的权限.只需在Windows资源管理器中根据需要修改ACL权限.然后启动提升权限的命令提示符，并导航到要捕获其ACL的文件夹.然后去:

Just want to add a quick way to test permissions that I discovered. Just modify the ACL permissions as desired in Windows Explorer. Then launch an elevated command prompt and navigate to the folder whose ACL you want to capture. Then go:

cacls.exe foldername /s

这应该显示 SDDL字符串，您可以直接在WiX中转储以在MSI文件中使用新的内置LockPermissionEx表(

This should show a SDDL string that you can dump straight in WiX to use the new, built-in LockPermissionEx table in MSI files (MSI 5 only!):

<Component Feature="ProductFeature">
   <File Source="Files\Test.exe" />
   <CreateFolder>
     <PermissionEx Id="p1" Sddl="D:PAI(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)(A;OICI;0x1200a8;;;BU)" />
   </CreateFolder>
</Component>

以上内容将产生一个文件夹，该文件夹对SYSTEM，管理员具有完全访问权限，对普通用户具有特殊访问权限"(遍历文件夹/运行文件，读取属性，读取扩展属性，读取访问权限).如下所述，这不太好用，因为管理员通常会先运行非高架设备，然后假冒普通用户(不能100％地确定这是如何工作的).

The above should yield a folder that has full access for SYSTEM, Administrators and "special access" for regular users (traverse folder / run file, read attributes, read extended attributes, read access). As stated below this does not work too well since administrators generally run non-elevated and then impersonate regular users (not 100% sure how this really works).

如您所知，有许多与权限相关的不同WiX元素(中间页)，您也可以使用自定义操作进行许可(不建议使用).明天再测试一点. 也许将提升的EXE与受保护的数据文件夹结合使用是可行的吗?也许是一种使触发快捷方式在系统尝试启动指向它的文件时没有高程的情况下调用高程的方法.

As you know there are many, different WiX elements that relate to permissioning (mid page), and you can also use custom actions to do permissioning (not recommended). Going to test a little bit more tomorrow. Maybe a combination of an elevated EXE with a protected data folder could work? Or maybe a way to make the triggering shortcut invoke elevation before the system tries to launch the file it points to without elevation.

更新:今天没有做太多测试，但是我正在考虑可能的选项列表.其中一些选择只是刻板的，并不是真正可行的.他们将排除一切，看看是否可以激发出新的更好的想法.也许8，1，2，3&可以使用6吗?也许结合起来?

UPDATE: Not much testing done today, but I got thinking about the list of possible options. Some of these options are just jotted down and not really viable. They are in to rule stuff out and to see if they could spark new and better ideas. Maybe 8, 1, 2, 3 & 6 could be used? Maybe in combination?

组合吗? :超级隐藏的安装文件夹也被ACL锁定，并且由从映射驱动器运行的始终提升的EXE访问吗? (要访问基于访问的枚举服务器共享吗?):

Combo?: Super-hidden installation folder that is also ACL-locked and accessed by an always elevated EXE run from a mapped drive? (accessing an access-based enumeration server share?):

1. 锁定/隐藏和隐藏提升 :使用ACL隐藏子文件夹，然后通过修改应用程序清单在应用程序启动时要求UAC提升吗?一个启动器应用程序EXE是可见的? (可以超级隐藏吗?请参阅下一个要点).
   • 在安全性方面不是很好(一旦您提升，访问无处不在)，但我认为它会起作用，并且没有普通用户可以访问ACL -受保护的数据子文件夹(尽管它们会看到-但是可以检查具有超级隐藏文件夹状态的下一个选项-可以组合吗?).
     • 我只想提一下，当尝试调用需要管理员权限才能运行的可执行文件时，会向普通用户询问密码.据我所知，没有管理员密码，他们根本无法运行该应用程序.可能在一时的忙碌中被遗忘，而经理可能会突然失去运行该应用程序所需的管理员权限.我已经看到了这种情况.
     • 尽管对于公司网络来说，可以通过组策略进行预防，但是，如果有一个无密码的本地管理员帐户(在小型企业中可能很常见)，则任何标准用户都可以在提示输入管理员密码后，通过该无密码管理员帐户随意提升管理员权限.
       • 易于忘记.
       • 巨大的安全漏洞 .
       • 有一个我从未尝试过的最高可用海拔高度选项(仅将管理员帐户的权限提升为管理员权限，否则以有限的权利运行).

1. Lock / Hide & Elevate: hide sub folder with ACLs, then require UAC elevation on application launch by modifying the application manifest? A single launcher application EXE would be visible? (Can be super-hidden? See next bullet point).
   • Not great security-wise (once you elevate, access is pervasive), but I think it will work, and no regular user would be able to access the ACL-protected data sub-folder (they will see it though - but check out the next option with super-hidden folder status - combination possible?).
     • I will just mention that regular users will be asked for a password when trying to invoke executables that require admin rights to run. Without an admin password they can't run the application at all as far as I know. Can be forgotten in the heat of the moment, and a manager could miss that suddenly admin rights are required to run the application at all. I have seen it happen.
     • Though preventable by group policy for corporate networks, if there is a password-less, local administrator account (which could be common in small businesses), then any standard user can elevate to admin rights via that passwordless admin-account - at will - once prompted for an admin password.
       • Easy to forget.
       • Huge security hole.
       • There is the highest available elevation option that I have never tried (elevate to admin rights only for admin accounts, otherwise run with limited rights).

将文件夹设为超级隐藏 :这可能是一个愚蠢的选择.这取决于您的用例以及这些文件必须受到的保护程度?他们只是出于期望而已，还是必须被锁定"且无法进入? 您可以设置一个简单的attrib命令为您的文件夹提供一个超级隐藏的标志:

attrib +s +h "C:\Folder\"

该文件夹现在像某些核心OS文件夹一样被超级隐藏.除非您采取特殊步骤使其显示(显示隐藏的OS文件-参见上面的链接)，否则该文件夹不会在Windows资源管理器或命令行中显示.但是，如果用户知道该文件夹在该文件夹中，则该文件夹不会被锁定访问.也许您可以将超级隐藏标志与其他方法结合使用? (隐藏文件夹并也将其锁定吗?)

The folder is now super-hidden like some core OS folders. Such a folder doesn't show up in Windows Explorer or in command line unless you take special steps to make it appear (show hidden OS files - see above link). But the folder is not locked for access if the users know the folder is there. Maybe you can combine the super-hidden flag with another approach? (hide the folder and lock it too?)

基于访问的枚举服务器共享 :此新服务器功能似乎是您实际需要的.它隐藏有问题的用户没有访问权限的文件夹，但我认为该功能不能在常规PC(非服务器)上使用.也许可以吗?以后要检查的东西.我不知道是否可以将文件存储在服务器共享上吗?

Access-Based Enumeration Server Share: this new server feature seems to be what you need actually. It hides folders that the user in question does not have access rights to, but I don't think the feature can be used on regular PCs (non servers). Perhaps it can? Something to check later. I don't know if storing files on a server share is an option or not?

• 您无法配置NTFS权限来隐藏未授权用户的文件或文件夹.
• Windows Server 2016中基于访问的枚举.
• 奇怪的黑客行为":基于访问的枚举在Windows 7上.

• You cannot configure NTFS permissions to hide files or folders from unauthorized users.
• Access Based Enumeration in Windows Server 2016.
• "Odd hack": Access Based Enumeration on Windows 7.

这篇关于如何使用wix安装程序拒绝用户的文件夹权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！