tags:

views:

748

answers:

2

I'm struggling with this one. I need to set the permissions of the App_Data folder in an ASP.Net site to Modify for the NetworkService account via my Wix installer. I tried the following but with no luck.

<CreateFolder>
  <util:PermissionEx GenericAll="yes" ChangePermission="yes" Delete="yes" 
    DeleteChild="yes" User="[WIX_ACCOUNT_NETWORKSERVICE]" />
</CreateFolder>

I tried also specifying Append but I got an error saying it's not allowed.

+1  A: 

Well, I figured out an answer (probably not the answer). You can't set the file permission using util:PermissionEx for the "Network Service" account (its not a well know sid or something like that). In the end, I wrote a custom action that sets the permission using the cacls.exe utility.

<CustomAction Id="PermissionAppData" Directory="TARGETDIR" 
  ExeCommand="&quot;[SystemFolder]cacls.exe&quot; 
  &quot;[INSTALLDIR]\App_Data&quot;
  /T /E /G &quot;NT AUTHORITY\Network Service:C&quot;" Return="check" />
Mike Ward
This is not the best answer. :) Seems like PermissionEx will give you what you want.
Rob Mensching
+1  A: 

You want User="NetworkService". There is a list of well known users in the SecureObj.cpp code that backs PermissionEx.

    `// figure out the right user to put into the access block
    if (!*pwzDomain && 0 == lstrcmpW(pwzUser, L"Everyone"))
    {
        hr = AclGetWellKnownSid(WinWorldSid, &psid);
    }
    else if (!*pwzDomain && 0 == lstrcmpW(pwzUser, L"Administrators"))
    {
        hr = AclGetWellKnownSid(WinBuiltinAdministratorsSid, &psid);
    }
    else if (!*pwzDomain && 0 == lstrcmpW(pwzUser, L"LocalSystem"))
    {
        hr = AclGetWellKnownSid(WinLocalSystemSid, &psid);
    }
    else if (!*pwzDomain && 0 == lstrcmpW(pwzUser, L"LocalService"))
    {
        hr = AclGetWellKnownSid(WinLocalServiceSid, &psid);
    }
    else if (!*pwzDomain && 0 == lstrcmpW(pwzUser, L"NetworkService"))
    {
        hr = AclGetWellKnownSid(WinNetworkServiceSid, &psid);
    }
    else if (!*pwzDomain && 0 == lstrcmpW(pwzUser, L"AuthenticatedUser"))
    {
        hr = AclGetWellKnownSid(WinAuthenticatedUserSid, &psid);
    }
    else if (!*pwzDomain && 0 == lstrcmpW(pwzUser, L"Guests"))
    {
        hr = AclGetWellKnownSid(WinBuiltinGuestsSid, &psid);
    }
    else if(!*pwzDomain && 0 == lstrcmpW(pwzUser, L"CREATOR OWNER"))
    {
        hr = AclGetWellKnownSid(WinCreatorOwnerSid, &psid);
    }
    else if (!*pwzDomain && 0 == lstrcmpW(pwzUser, L"INTERACTIVE"))
    {
        hr = AclGetWellKnownSid(WinInteractiveSid, &psid);
    }
    else if(!*pwzDomain && 0 == lstrcmpW(pwzUser, L"Users"))
    {
        hr = AclGetWellKnownSid(WinBuiltinUsersSid, &psid);
    }
    else`

The Windows Installer LockPermission table (the Permission element in WiX) also support most well known names but they are localized which is a really poor design, IMHO. That's why WiX has this known list.

Rob Mensching
I had a feeling I was close on the first try but I had hit a wall and had to get something working. Thanks for keeping me on the straight and narrow.
Mike Ward
I see where I went wrong. I tried PermissionEx at one time with "Network Service" (note the space) because that is how is shows up in the user list in the security dialog in Windows. The well known name here has no space.
Mike Ward
Yeah, well really that list should be in the documentation anyway. <sigh/>
Rob Mensching