tags:

views:

706

answers:

3
+2  Q: 

File security attributes getting screwed up on file copy

I've a windows service that updates our product. It copies the product files into a temp directory, usually "C:\Windows\Temp", patches the binaries, and then uses MoveFileEx to copy the files back to the install directory on a reboot, usually "C:\Program Files\Product". The files in the install directory are inheriting their security attributes from the parent folder. After the copy, patch, and reboot, the files in the install directory are missing some ACLs. Specifically the files don't have the ACL for the Users group anymore so users can no longer run the program after the reboot.

Can anyone explain whats going on here? It seems that copying from the install directory to the temp directory, the files inherit the ACLs of the temp directory. On the MoveFileEx/Reboot, though, the files only inherit the ACLs that both the install and temp directories have in common.

A: 

This is normal behaviour for a file 'move' within the same drive or volume.

http://support.microsoft.com/kb/310316

 2008-10-14 22:15:59
+3  A: 

In Windows if you copy a file the file takes on the ACLs of the destination directory. If you move a file the ACL goes with it overriding any it might inherit from that directory. I'm not sure how MoveFileEx might operate differently on a file.

The temp directory is usually located under the user profile (both %TMP% and %TEMP% usually point here) so copying files here will have permissions for that user. Moving those files to the program files directory will take only that users rights with them and therefore only runnable by the installing user.

Duncan  2008-10-14 22:16:41
I think this probably nails the issue. One correction though, the %TEMP% directory for a service running with the ususal privileges is C:\Windows\Temp rather than a specific user's temp directory.
Charles  2008-10-15 13:35:21
A: 

One potential workaround is to patch copies of the files with-in the same directory but with different names. After the reboot, the patched versions could be swapped in. Alternatively, do a reboot first and then patch them in-place, and just back them up to the temp directory in the event a manual rollback is required.

If you really want to move them to a different location, creating a temp folder in the same place as the files to be patched would help the permissions stay the same assuming the directory is using inherited permissions.

J c  2008-10-14 22:26:48

related questions

Verifying files for testing
How do you create your own moniker (URL Protocol) on Windows systems?
Windows Equivalent of 'nice'
Is this a good way to determine OS Architecture?
Dual vs. Quadcore on a Webserver
Is there a WMI Redistributable Package?
PHP Error - Uploading a file
Ruby On Rails with Windows Vista - Best Setup?
OpenVPN Config file to prevent timeout
How can I create Debian install packages in Windows for a Visual Studio project?
How do I configure and communicate with a serial port?
What's the best setup for Mono development on Windows?
Appropriate pagefile size for SQL Server
XML Editing/Viewing Software
Linux shell equivalent on IIS
What is a better file copy alternative than the Windows default?
Windows Help files - what are the options?
Heap corruption under Win32; how to locate?
Best way to access Exchange using PHP?
Get a preview jpeg of a pdf on windows?
WinForms ComboBox data binding gotcha
How do you schedule tasks in Windows?
Register Windows program with the mailto protocol programmatically
Embedding Windows Media Player for all Browsers
Best Subversion clients for Windows Vista (64bit)