为 Wix/Windows Installer 安装的文件指定权限时如何包含继承权限? [英] How to include inherited permissions when specifying permissions for a file installed by Wix / Windows Installer?

问题描述

我提供给 Wix 编译器以为我的应用程序构建 MSI 包的 Wix 源代码包含以下 PermissionEx 指令，它是 Windows Installer 应安装的文件组件的一部分(以默认情况下应该继承的)权限:

The Wix source code that I feed to the Wix compiler to build an MSI package for my application, contains the following PermissionEx directive, part of a file component which Windows Installer should install with additional (to those that should be inherited by default) permissions:

<PermissionEx Sddl="D:AR(A;;FW;;;BU)" />

如您所料，我打算使用包含在其 ACL 中的继承权限(AR")安装该文件，除此之外，还允许允许内置用户组(BU")的成员("A") 写入文件 ("FW").

As you can surmise, I intend to install the file with inherited permissions ("AR") included in its ACL and on top of that allow members of the Built-in Users group ("BU") to be allowed ("A") to write to the file ("FW").

上面的代码没有达到预期的效果——文件已安装，但只列出了一个显式 ACE，没有一个应该从父文件夹继承的 ACE.

The code above does not have the desired effect -- the file is installed, but only that single explicit ACE is listed, none of the ACEs that are supposed to be inherited from parent folder.

相反，如果我随后从文件中删除所有权限并运行 cacls file/S:D:AR(A;;FW;;;BU)，即指定完全相同的 SDDL 字符串，它确实按预期工作 - 来自父级的权限被继承并构成 ACL 的一部分，以及显式的非继承 ACE.

In contrast, if I subsequently remove all permissions from the file and run cacls file /S:D:AR(A;;FW;;;BU), i.e. specify exactly the same SDDL string, it does work as intended -- the permissions from parent are inherited and form part of the ACL, together with the explicit non-inherited ACE.

我使用的是 Wix 3.11.1.2318，Windows Installer 版本为 5.0.16299.611，均在 Windows 10 Enterprise 64 位上运行.Orca 告诉我嵌入在我构建的 MSI 文件中的 MsiLockPermissionsEx 表填充了预期的 SDDL 记录.那么为什么创建文件时没有从其包含的文件夹继承权限?

I am using Wix 3.11.1.2318 and the Windows Installer version is 5.0.16299.611, all running on Windows 10 Enterprise 64-bit. Orca tells me the MsiLockPermissionsEx table embedded in my built MSI file is populated with the intended SDDL record. So why is the file created without inheriting permissions from its containing folder?

我尝试用AI"代替AR"，并将两个字符串连在一起，但也没有任何效果.

I tried to use "AI" in place of "AR", and both strings together, but none of it had any effect either.

这是一些已知的限制还是 Windows Installer 的怪癖?我知道人们不久前在谈论旧的 LockPermissions 表(为早于 5 的 Windows Installer 版本指定的表)在这一特定方面是不够的——即继承权限——但它们也表示微软打算用新的表格功能解决这个问题.

Is this some known limitation or a quirk with Windows Installer? I know that people were talking a while back how the old LockPermissions table (the one specified for Windows Installer versions earlier than 5) was inadequate in this specific regard -- inherited permissions, namely -- but they also said Microsoft was out to address this very issue with the new table feature.

否则我做错了什么?

推荐答案

鉴于您在该领域的知识，您可能已经尝试过.消除对许可的需求也会好得多，但是为您提供两个片段 - 请注意 Append 属性:

Given your knowledge in this field, you probably have already tried this. It would also be much better to eliminate the need for permissioning, but two snippets for you - notice the Append attribute:

在 Visual Studio 中创建一个 WiX 项目.将 Util 命名空间添加到 WiX 元素:

Create a WiX project in Visual Studio. Add the Util namespace to the WiX element:

<Wix xmlns="http://schemas.microsoft.com/wix/2006/wi"
     xmlns:util="http://schemas.microsoft.com/wix/UtilExtension">

在 Visual Studio 项目中，右键单击引用并添加对 "%ProgramFiles(x86)%WiX Toolset v3.11inWixUtilExtension.dll" 的引用.

In Visual Studio project, right click References and add reference to "%ProgramFiles(x86)%WiX Toolset v3.11inWixUtilExtension.dll".

权限文件夹:

<Component Feature="ProductFeature" Id="Test.exe" Guid="PUT-GUID-HERE">
   <File Source="C:Test.exe" />
   <CreateFolder>
     <util:PermissionEx User="Power Users" GenericWrite="yes"  />
   </CreateFolder>
</Component>

权限文件:

<Component>
   <File Source="C:Test2.exe">
      <util:PermissionEx Append="yes" User="Users" GenericWrite="yes" />
    </File>
</Component>

这篇关于为 Wix/Windows Installer 安装的文件指定权限时如何包含继承权限?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！