I got a MSI setup with personilized UI and Custom Actions working properly. It will be deployed on a specific park of computer, with always the same account design:
An Operator account with classic privilege.
A Setup account with administrator privilege.
We want to be able to launch our MSI on both account, but when doing it from the Operator, have to fill a form asking for the Setup credentials and install everything as it was made logged with the setup user.
Is there a Windows/MSI tool for that?
Can I do it with a specific Custom Action launched before the display of the UI?
Thank for your help
When you deploy an MSI to a user that has standard privileges this will always ask you for Admin credentials to install the MSI (assuming the MSI is a per-machine install and not a per-user install).
If you deploy your software via SCCM or other infrastructure management tool you can place this to run in an Administrator Context, thus, you won't need the Administrator privileges in order to install it.
Also, when you test an MSI it's nice to test it with PSexec. What is Psexec? Check it here.
PsExec is a portable tool from Microsoft that lets you run processes remotely using any user's credentials. If you run psexec -s -i (in a cmd with administrator rights) this will impersonate the System account and thus allow you to install applications without requiring you to provide administrative right (password, etc).
PSexec is a must when you test MSI's. For example, if you have any user data in your MSI. Because, when you install an MSI from another account, not all the data is automatically placed on the other user, for this you have to use ActiveSetup or other solutions to make it available on all users. See more about userdata here and any other MSI topics.
If you are installing an MSI from an Administrator account and want to run different actions on the current logged in user, i designed a tool for this that can be downloaded here.
So, to answer your question more directly, you can't suppress the credentials dialog as a normal user. The MSI must be deployed from some infrastructure management tool like SCCM, or another solution (which i don't recommend) is to design the MSI to be a per-user installation.
Related
As custom action of a WiX-based installer (MS Windows 7), I need to check out some files from a StarTeam server. stcmd seems to provide all functionality and I am able to perform the checkout with UID and password provided via parameter -p.
Since the installer is run by different users, I obviously need a mechanism to inquire the StarTeam login credentials at run-time instead of hard-coding UID/pw.
I was browsing the StarTeam manual but was not able to figure out if the StarTeam programs provide a solution to that problem. Any suggestions?
Sorry, this just doesn't make sense to me. Typically you include files from source control in the MSI at build time not install time. What does install time buy you other then complexity? Now application runtime would make sense to me. You could create and install an application that prompts the user for creds and then periodically polls star team for updated files. (Windows service, scheduled task, logon autorun...)
Couldn't you could prompt your users for the login information during the install and then pass them to the stcmd.exe?
Meh, the solution is trivial. When using an empty password, stcmd automatically asks for the password. Example:
stcmd connect username:#hostname:portnumber
Using the stateful commands is recommended since the credentials are stored internally for all subsequent commands.
I am distributing a multi-user MS Access FE database which needs to reside on the local workstation and could use some help with configuring an INNO Setup installer. Because of MS Access macro securities, each user is required to run the installer which sets up the HKCU registry information and user application icons.
My issue is after multiple-users on a single workstation has run the installer, if one of the users uninstalls, the MS Access FE is removed from all users.
Is there a way to create an installation log file that will keep track of how many times the application is installed and uninstalled on a single workstation and only uninstall the MS Access FE when install log is empty?
P.S. The installer needs to run without admin privileges.
I'm currently developing an application which needs root privileges for several operations (e.g. deleting system log files, etc.). One solution would be to implement a privileged helper tool which will be launched automatically by launchd. This way the user has to type in an administrator password every time such operation shall be executed (or every time the helper needs to be installed).
Now I wonder if it is possible to create an installer package which will install the application with root privileges so the user types in the administrator credentials just once (during the installation process) and every time the application gets started it is being launched with root permissions (without prompting for admin credentials).
Is there any way to achieve this?
The usual way to do this on Unix systems is to use setuid. Basically, you change the owner of your program to be root, and set the "set user or group ID on execution" bit (s):
$ chown root:root myprogram
$ chmod u+s myprogram
Any time a user then executes your program, it will run as root.
Note, though, that there are very good reasons for prompting for admin credentials.
Using this mechanism (or doing what you're trying to do, in general), can very easily lead to very dangerous security holes like privilege escalation. Any executable you use setuid on should be thoroughly audited by somone familiar with the process, otherwise attackers will root all machines your program is installed on.
I have a certificate in which i need read permissions of a certificate of a very specific group when installing an application. I am using the wix installer to install the app and certificate but for the life of me, i cannot find a way to provide the correct group. it needs to be in the local machine store but it seems that when i install the certificate with wix it automatically gives permissions r:w to administrators, msiserver, and system and no rights to owner rights.
I need a 5th group to be defined in there with read permission and must be able to do this on install as manual configuration is out of the question.
is there a way to do this with wix?
It seems that this is not easy, but it's doable: Modifying security on installed certificates
Perhaps you should try using a custom action to install the certificate instead of the WiX built-in support. This way maybe it will use the default permissions which work for you.
The problem is that in our clients their normal user doesn't have administrator privileges so when they have to install or update our programs they have to log again as administrator to install them and then log as their user which is cumbersome...
As some updates are automatic the "run as" solution isnt a valid one...
One good idea would be to mark a folder as "admin folder" so all the exes executed from that folder run as administrator (having configured the admin account previously)
or a configurable a list of executable names that must run as administrator (i say names because it could be different installers with different hash but with a generic exe name that identifies it as ours)
Does anyone know a program or windows configuration or c# code to achieve something like this?
It seems nobody knows how to do it or doesnt want to tell because its a security hole...ironically having this escalating privileges hole would be better than having the user as administrator for everithing :S... (Appart from not being a valid solution for our clients)