WiX Permissions, how do I express 'Modify'

2019-05-09 11:23发布

问题:

I'm attempting to apply custom rights to a folder as part of a WiX 3.0.4318.0 installer.

In terms of the Security properties UI in explorer, I want to add Modify to the rights for BUILTIN\Users. Obviously it needs to be resilient against localisation of the user name. So based on my research to date, I want at least:

<CreateFolder Directory="XYZ" >
    <PermissionEx User="[WIX_ACCOUNT_USERS]" 
         GenericRead="yes" GenericWrite="yes" Delete="Yes" />
</CreateFolder>

Questions:

  1. I'm doing this in a subdirectory - am I correct in assuming that the choice between Permission and PermissionEx is Moot?

  2. What does 'Modify' in the Folder Permissions dialog in Explorer map to in terms of rights - I see many samples where people have translated it to a magic number or a big set of flags - what have other people used (the intent is to allow create, read, write, append and delete, which is best expressed in the UI in terms of Simple Rights as 'Modify'). I've looked at the underlying permissions with icacls which tells me its called 'M', but I have no way to map them to 'specific rights' (in terms as used by icacls /?). There's another mapping table in the windows help. Has anyone got an authorative answer that's worked?

There is a very similar unanswered question at Question regarding PermissionEx (WIX), which it would be cruel but fair to cite as a duplicate.

回答1:

The following combinations are what I've found

"modify" permission:

<util:PermissionEx GenericRead="yes" GenericWrite="yes"
   GenericExecute="yes" Delete="yes" DeleteChild="yes" User="SOMEUSER" />

"read" permission:

<util:PermissionEx Read="yes" GenericRead="yes" User="SOMEUSER" />


回答2:

After some more work on this, my findings are:

  1. In 3.0.5419.0, PermissionEx vs util:"PermissionEx vs Permission gets moot, and no Extended="true" like you see around the net with previous versions is required. Previous versions give errors at runtime resolving BUILTIN\USERS.
  2. Selecting the three rights I picked seems to achieve the requirements of my context

I'm still very interested in seeing other responses, as I remain a WiX-noob.



回答3:

To get it exactly as you would by setting the permissions by hand on Windows 7 and Windows XP using WiX 3.6, you would need to use this:

<util:PermissionEx 
    User="Users" Domain="BUILTIN" 
    GenericWrite="yes" GenericExecute="yes" GenericRead="yes" 
    Delete="yes" Synchronize="yes" />