tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Preißer <>
Subject RE: Some security-related questions / enhancements for the Windows Installer
Date Wed, 18 Dec 2013 19:00:25 GMT

> -----Original Message-----
> From: Konstantin Preißer []
> Sent: Wednesday, December 18, 2013 6:24 PM

> > - the user group "Administrators" is the name in English.  In other locales, it
> is
> > different (French : Administrateurs; German : Administratoren; Spanish:
> > Administratores,
> > etc.). That can be overcome, but also would complicate the installer.
> OK, but I'd think there is a way to use non-local names when modifying file
> ACLs (or at least get the localized name).

It works e.g. with icacls.exe, but I haven't tried WinAPIs.

I was able to grant the "NetworkService" user full access to the folder "C:\testfolder" and
subdirectories/files with any of the following commands (on a german Windows Server 2012 R2):
1) icacls testfolder /grant NetworkService:(OI)(CI)(F)
2) icacls testfolder /grant *S-1-5-20:(OI)(CI)(F)
3 icacls testfolder /grant Netzwerkdienst:(OI)(CI)(F)

1) uses the non-local name "NetworkService".
2) uses the numeric SID for NetworkService as described at [1] which is identical on each
windows system. However, this SID is only available since Windows Vista and Server 2008.
3) uses a localized account name.

So I think localized account names shouldn't be an issue for the installer (but I'm nut sure
running icacls.exe is the best way for an Installer to set file permissions - I haven't checked
how that works e.g. with WinAPIs).

Note however, that using "Administrators" with icacls.exe didn't work for me (the localized
name "Administratoren" worked), but the numeric SID of Administrators, S-1-5-32-544, did work.


Konstantin Preißer

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message