tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Preißer <kpreis...@apache.org>
Subject RE: Some security-related questions / enhancements for the Windows Installer
Date Wed, 18 Dec 2013 19:00:25 GMT

> -----Original Message-----
> From: Konstantin Preißer [mailto:kpreisser@apache.org]
> Sent: Wednesday, December 18, 2013 6:24 PM

> > - the user group "Administrators" is the name in English.  In other locales, it
> is
> > different (French : Administrateurs; German : Administratoren; Spanish:
> > Administratores,
> > etc.). That can be overcome, but also would complicate the installer.
> 
> OK, but I'd think there is a way to use non-local names when modifying file
> ACLs (or at least get the localized name).

It works e.g. with icacls.exe, but I haven't tried WinAPIs.

I was able to grant the "NetworkService" user full access to the folder "C:\testfolder" and
subdirectories/files with any of the following commands (on a german Windows Server 2012 R2):
1) icacls testfolder /grant NetworkService:(OI)(CI)(F)
2) icacls testfolder /grant *S-1-5-20:(OI)(CI)(F)
3 icacls testfolder /grant Netzwerkdienst:(OI)(CI)(F)

1) uses the non-local name "NetworkService".
2) uses the numeric SID for NetworkService as described at [1] which is identical on each
windows system. However, this SID is only available since Windows Vista and Server 2008.
3) uses a localized account name.


So I think localized account names shouldn't be an issue for the installer (but I'm nut sure
running icacls.exe is the best way for an Installer to set file permissions - I haven't checked
how that works e.g. with WinAPIs).

Note however, that using "Administrators" with icacls.exe didn't work for me (the localized
name "Administratoren" worked), but the numeric SID of Administrators, S-1-5-32-544, did work.


[1] http://support.microsoft.com/kb/243330/en-us


Regards,
Konstantin Preißer


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message