 |
With the release of Windows 2000, Microsoft have published their first OS with properly preconfigured the file permissions (DACLs). While this is to be applauded from a system management and stability standpoint, it has the ill effect that many older programs which used to liberally change files and registry entries all across the system while running, do not work any more.
It is neat to see programs getting slapped on their wrists whenever they try to write to a protected area of the system. Unfortunately many programs crash when they are not allowed to write where they want. As time progresses, more and more new programs are released which are aware aware of the Windows 2000 file permission structure and behave reasonably. Actually, this is a precondition to pass Microsoft's Windows 2000 compliance test.
Meanwhile in the real world, we have to find a way to make the current software work. Normally this is done by relaxing the file and registry protection of areas where this is required. Figuring out these areas is an art of its own. I usually use the tools Regmon and Filemon from Sysinternals for this task.
Once the problematic objects and their required have been established, I use a visual basic script which calls functions from external dlls in order to change the file and registry acls accordingly.
Note: instead of using dacl.vbs you should use SetACL which is much superior to my punny little script. The text below has not been revised for setacl yet, but the general principal is the same
dAclfix.vbs needs ADsSecurity.dll and RegObj.dll to work. You can get ADsSecurity.sll from Microsofts ADSI SDK 2.5 (It is in the directory /ResourceKit/ADsSecurity.dll).
The ADSI SDK is available for download from Microsoft. Extract the dll from the package and copy it to a place in your path and run:
regsvr32 adssecurity.dll
RegObj.dll is included in Office 2000 SR2 and is also available directly from MS for registered VB users. Put the file into a directory in your path make sure you run
regsvr32 regobj.dll
You configure dacl.vbs by editing the script. Open the Script in an editor and add the instructions you want executed. Here is a short Intro:
DACL function, url, "ace, ace, ..."
function -- Add, Rm, Set
url -- FILE://.... change this File/Folder
FILE://c:\home\ change this Folder and everything below
FILE://c:\home\\ change this Folder and Folders below
RGY://\HKEY_LOCAL_MACHINE\SOFTWARE change this property
RGY://...\ and RGY://\...\\ are the same as indiviual
registry values have no acls assigned
ace -- account:rights
account -- user or group
rights (file) -- F - Full, C - Change, R - Read + Execute,
S - Read + Write + Execute, L - List
rights (registry) -- F - Full, R - Read
Examples
DACL "Add", "FILE://w:\hello.txt", "users:F,moetiker:F" DACL "Add", "FILE://w:\hello\", "users:R,oetiker:F,moetiker:F" DACL "Rm", "FILE://w:\oops.txt", "everyone" DACL "Add", "RGY://\HKEY_CURRENT_USER\SOFTWARE\ipswitch\ws_ftp\", "users:F"
After editing the script you can start it from the command line with cscript dacl.vbs
When you create an MSI for an application which must be able to write into protected System areas, you can integrate dacl.vbs. Here is how:
- Add a copy of the two dlls to the package and install them somewhere below the INSTALLDIR of the package. Make sure you click Self register in the file property dialog.
- customize the dacl.vbs according to the needs of the application and add it to the msi somewhere below INSTALLDIR. Maybe next to the dlls
- Add a custom action:
Type: Call Exe File Source: File on destination machine Name: DACL InstDir: SystemFolder Exe Cmd: wscript.exe "[!dacl.vbs]" Sequenc: Install Execute Sequence (Before InstallFinalize) Condition: NOT REMOVE~="ALL" I-S Opt: System Context Process: Asynch, Wait at end of sequence
Note that the MSI standard contains a table for defining such permission settings (LockPermissions) and starting with Wise for Windows Installer 3.5 there is an Interface for editing this table. Check the MSI document on some notes regarding this feature.
