为 Wix/Windows Installer 安装的文件指定权限时如何包含继承的权限? [英] How to include inherited permissions when specifying permissions for a file installed by Wix / Windows Installer?
问题描述
我提供给 Wix 编译器以构建我的应用程序的 MSI 包的 Wix 源代码包含以下 PermissionEx 指令,它是 Windows Installer 应安装的附加文件组件的一部分(以那些应该默认继承的)权限:
The Wix source code that I feed to the Wix compiler to build an MSI package for my application, contains the following PermissionEx directive, part of a file component which Windows Installer should install with additional (to those that should be inherited by default) permissions:
<PermissionEx Sddl="D:AR(A;;FW;;;BU)" />
如您所料,我打算安装具有继承权限(AR")的文件,该文件包含在其 ACL 中,并在此基础上允许内置用户组(BU")的成员("A") 写入文件(FW").
As you can surmise, I intend to install the file with inherited permissions ("AR") included in its ACL and on top of that allow members of the Built-in Users group ("BU") to be allowed ("A") to write to the file ("FW").
上面的代码没有达到预期的效果——安装了文件,但只列出了单个显式 ACE,没有任何应该从父文件夹继承的 ACE.
The code above does not have the desired effect -- the file is installed, but only that single explicit ACE is listed, none of the ACEs that are supposed to be inherited from parent folder.
相反,如果我随后从文件中删除所有权限并运行 cacls file/S:D:AR(A;;FW;;;BU),即指定完全相同的 SDDL 字符串,它确实按预期工作 - 来自父级的权限被继承并与显式非继承 ACE 一起构成 ACL 的一部分.
In contrast, if I subsequently remove all permissions from the file and run cacls file /S:D:AR(A;;FW;;;BU), i.e. specify exactly the same SDDL string, it does work as intended -- the permissions from parent are inherited and form part of the ACL, together with the explicit non-inherited ACE.
我使用的是 Wix 3.11.1.2318,Windows Installer 版本为 5.0.16299.611,均在 Windows 10 Enterprise 64 位上运行.Orca 告诉我嵌入在我构建的 MSI 文件中的 MsiLockPermissionsEx 表填充了预期的 SDDL 记录.那么为什么创建的文件没有从其包含的文件夹继承权限?
I am using Wix 3.11.1.2318 and the Windows Installer version is 5.0.16299.611, all running on Windows 10 Enterprise 64-bit. Orca tells me the MsiLockPermissionsEx table embedded in my built MSI file is populated with the intended SDDL record. So why is the file created without inheriting permissions from its containing folder?
我尝试使用AI"代替AR",并将两个字符串放在一起,但都没有任何效果.
I tried to use "AI" in place of "AR", and both strings together, but none of it had any effect either.
这是 Windows Installer 的一些已知限制还是怪癖?我知道人们在谈论旧的 LockPermissions 表(为 5 之前的 Windows Installer 版本指定的表)在这方面是不够的 - 继承权限,即 - 但他们也说微软打算通过新的表格功能解决这个问题.
Is this some known limitation or a quirk with Windows Installer? I know that people were talking a while back how the old LockPermissions table (the one specified for Windows Installer versions earlier than 5) was inadequate in this specific regard -- inherited permissions, namely -- but they also said Microsoft was out to address this very issue with the new table feature.
否则我做错了什么?
推荐答案
鉴于您在该领域的知识,您可能已经尝试过这个.消除对许可的需求也会好得多,但有两个片段供您使用 - 请注意 Append 属性:
Given your knowledge in this field, you probably have already tried this. It would also be much better to eliminate the need for permissioning, but two snippets for you - notice the Append attribute:
在 Visual Studio 中创建一个 WiX 项目.将 Util 命名空间添加到 WiX 元素:
Create a WiX project in Visual Studio. Add the Util namespace to the WiX element:
<Wix xmlns="http://schemas.microsoft.com/wix/2006/wi"
xmlns:util="http://schemas.microsoft.com/wix/UtilExtension">
在 Visual Studio 项目中,右键单击 References 并添加对 "%ProgramFiles(x86)%\WiX Toolset v3.11\bin\WixUtilExtension.dll" 的引用.
In Visual Studio project, right click References and add reference to "%ProgramFiles(x86)%\WiX Toolset v3.11\bin\WixUtilExtension.dll".
权限文件夹:
<Component Feature="ProductFeature" Id="Test.exe" Guid="PUT-GUID-HERE">
<File Source="C:\Test.exe" />
<CreateFolder>
<util:PermissionEx User="Power Users" GenericWrite="yes" />
</CreateFolder>
</Component>
权限文件:
<Component>
<File Source="C:\Test2.exe">
<util:PermissionEx Append="yes" User="Users" GenericWrite="yes" />
</File>
</Component>
这篇关于为 Wix/Windows Installer 安装的文件指定权限时如何包含继承的权限?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
