[wix-users] A package that can be run elevated or not elevated
rob at firegiant.com
Sat Aug 22 08:35:51 PDT 2015
That is the Windows Installer behavior (the WiX toolset is not involved at this point). If the Windows Installer did not behave this way, it'd be considered a very significant bug.
You need to create a custom installation engine or update service that bypasses all the security protections of Windows and creates your own trust system that is hopefully just as secure.
If it sounds like a lot of work, it is. You'll want some security experts close by.
PS: your current design easily allows one user on the machine to attack another user of the machine. The only mitigation is to say, "Well, we trust all the users of the machine." (which isn't really much of a security statement <smile/>).
FireGiant | Dedicated support for the WiX toolset | http://www.firegiant.com/
From: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] On Behalf Of Furtado, Peter (GE Healthcare)
Sent: Saturday, August 22, 2015 7:45 AM
To: wix-users at lists.wixtoolset.org
Subject: [wix-users] A package that can be run elevated or not elevated
I am working with Christoph on this project and, yes, I am taking a lot of showers lately. But, I just want to narrow down the issue that is causing us the most concern at this point.
To summarize the situation we are in:
The legacy package we are converting to WiX is required to be installed by an administrator the first time so that it can install to its install folder under Program Files. During this first-time installation the package sets permissions on the install folder so that everybody has full control. They then allow subsequent upgrades to be executed by non-admins. They accomplish this by having the package deliver the files to a temp directory (first-time and subsequent installs), and then running a custom action to copy all the files to the install folder.
For our converted WiX package, we can install in perMachine scope as an admin user with no problems. When we attempt to run a subsequent upgrade as a non-admin, the WiX package displays a dialog box that says "You do not have sufficient privileges to complete this installation for all users of the machine. Log on as an administrator and then retry this installation." I'm assuming this is when it is attempting to install the files into its install folder under the Program Files directory. When we set the WiX package to perUser scope, we can successfully run subsequent upgrades as a non-admin user. This is great so far.
With perUser installs, the package will only show up in the Programs and Features applet for the user that installed it. We really need all users (or, at least an administrator) to see all of these installs so that service engineers can maintain the workstations.
Any ideas on any of this? Thanks!
Staff Software Engineer
E pete.furtado at ge.com<mailto:pete.furtado at ge.com>
40 IDX Drive
South Burlington, VT, 05403-7771, USA
General Electric Company, GE Healthcare
WiX Toolset Users Mailing List provided by FireGiant http://www.firegiant.com/
More information about the wix-users