Should I give "modify" permissions to 'everyone' or 'users' or 'authusers' if, under UAC, I want to make data folders and files writable to non-admin users of the program?
I want that basically everyone who can sit at the computer can read/write the data through the program. I've also read that using 'everyone' for modify permission can open a security hole over the network. What is the difference between everyone, users, and authusers? What are the security implications?
Implementation details for InnoSetup follow:
Using InnoSetup, I install an EXE in a standard Program Files subfolder, and a Data subfolder within it, like this:
C:\Program Files\My Prog\Prog.exe
C:\Program Files\My Prog\Data\MyData.dat
Now, to make it so that MyData.dat can be modified by Prog.exe even if Prog.exe is launched by a non-admin users, I give "modify" permissions to the subfolder "Data" with this line:
[Dirs]
Name: "{app}\Data"; Permissions: everyone-modify;
;This is the question: should I use users or authusers instead of everyone?
[Files]
Source: "MyProg.exe"; DestDir: "{app}"; Flags: replacesameversion;
Source: "MyData.dat"; DestDir: "{app}\Data"; Flags: replacesameversion;
This question is similar to 2686918 but I didn't find enough info there about the types of permissions, hence this new one. I'll update that question after clarifying this one.
InnoSetup in particular defines these groups:
admins Built-in Administrators group
authusers Authenticated Users group
everyone Everyone group
powerusers Built-in Power Users group
system Local SYSTEM user
users Built-in Users group
Which of those is the nearest to "any user who is sitting at the machine, admin, non-admin, or whatever, but nobody who is accessing the machine from networks"?