ipollock
Posts: 137
Joined: Wed Aug 31, 2016 10:46 am

Conditional Folder Permissions

Wed Sep 18, 2019 9:49 am

Good morning,

I am trying to analyse how a previous A.I. install developer managed to make conditional folder security. There is nothing obvious in the folder properties or organization controls. There are two Custom Actions that appear to just check if the folder already exists or not, CheckforScreens and CheckforScreensdeferred. These have appropriate sections in an external visual basic script file. I'll attach these but i'm not sure what part if any in deciding whether folder permissoins for a user are set.

So the crux of the matter:
1. During installation, the install user chooses frontend or backend install.
2. Both of these on a later dialogue accept/take USER_NAME and DOMAIN_NAME variables which populate the folder Permissoins (Edit Folder)
3. If the frontend is chosen then the folder permissions 'are not' set for the variables in 2.
4. If the backend is chosen then the folder permissoins 'are' set for the variables in 2.

Can't find any conditional logic to support 1 through 4.

Thanks for any insight.
Attachments
CheckForScreensDeferred.txt
(1.47KiB)Downloaded 244 times
CheckForScreens.txt
(1.48KiB)Downloaded 255 times

Catalin
Posts: 6537
Joined: Wed Jun 13, 2018 7:49 am

Re: Conditional Folder Permissions

Wed Sep 18, 2019 10:24 am

Hello,

Unfortunately, the sent .txt files do not seem to contain the logic necessary to set folder permissions. These scripts just seem to check if the folder exists and then write some custom events in the log file.

In the following lines:

Code: Select all

		if counted > 0 then
			WriteToLog("CheckForScreens: returned=0")
			Session.Property("APERTA_DEFAULTSCREENSEMPTY")="0"
		else
			WriteToLog("CheckForScreens: returned=1")
			Session.Property("APERTA_DEFAULTSCREENSEMPTY")="1"
I could notice that if the folders contain any files, then that property is set. Maybe he further uses that property in another custom action that sets the permissions.

From what I know, the permissions can be set (from the command line) using the icacls.exe and its predecessor cacls.exe tools. In the project, I would look if there is any custom action calling this .exe (for instance a "LaunchFile" custom action).

If you want me to further investigate this, please forward me a copy of the .AIP file and a download link for the setup (either EXE or MSI) which sets these permisisons by e-mail at support at advancedinstaller dot com and I will see what I can find.

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

ipollock
Posts: 137
Joined: Wed Aug 31, 2016 10:46 am

Re: Conditional Folder Permissions

Wed Sep 18, 2019 11:50 am

Thanks for your quick reply Catalin.

There are more Custom Actions but none that are there for conditional folder permissions.
I will send the AIP file through so that you can look at it.

Thanks again.

ipollock
Posts: 137
Joined: Wed Aug 31, 2016 10:46 am

Re: Conditional Folder Permissions

Mon Sep 23, 2019 5:13 pm

Hi Catalin,
Did you receive all the materials that you needed?
Best regards,
Ian

Catalin
Posts: 6537
Joined: Wed Jun 13, 2018 7:49 am

Re: Conditional Folder Permissions

Tue Sep 24, 2019 9:00 am

Hello Ian,

First of all, please accept my apologies for the delayed reply.

Yes, I have received the files. I have also investigated them, quite a lot, actually.

Unfortunately, I was not able to find to anything that would influence a conditional folder permission. Beside the two custom actions that you've pointed me towards, I have checked all the CAs form the project, none of it looking like it would perform a conditional folder permission.

Are you sure that the EXE resulted after building the setup that you have sent me still replicates the behavior? If so, could you please give me some more details about what exactly are the folders that this setup conditionally sets the permission to?

From further investigating the project, I could notice that only few folders (from the "Files and Folders" page) have permissions set to them, for instance the "Settings" folder (under "Application Folder").

For instance, one permission that is set to that folder (right click on it --> "Properties" --> "Permissions" tab) is the following:

[DOMAIN_NAME] - [USER_NAME] - Full Control

In the "Dialogs" page --> under "First Time Install" --> "New Dialog", I could notice that these properties are assigned to "IIS User" section --> "User Name" and "Domain" fields.

Seeing this, I was wondering if somehow this has something to do with these properties. I have looked in the whole project, couldn't find anything that would point me to any useful direction.

Looking forward to hearing from you and hopefully we will be able to find the "culprit" here.

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

Return to “Building Installers”