I've created an Installshield 2015 (Installscript) which installs a .NET application in an installation directory.
The .NET application relies on a SQL CE 4.0 database.
The installation process is run under Administrator or local administrator account.
In Installshield project, I've put the emptied SQL CE 4.0 Database .sdf file into the [CommonAppDataFolder]. Installation process will copy the database in the following location :
Windows Vista (or later) : C:\ProgramData\MYCOMPANY\MYAPP\database.sdf
At the end of the installation process, the MSI will call a batch file to set write permissions for the "Users" group like this (because of ownership taken when creating the file in the commonAppData folder) :
icacls C:\ProgramData\MYCOMPANY /T /grant *S-1-5-32-545:W
The application will be executed under a standard user process (not elevated by UAC) in order to connect and write to the compact database by members of the "Users" group.
I was wondering if I was allowed to perform the 'icacls' command without creating a security hole for IT administrators and if I had to take into account other group SIDs ?
Thanks in advance for your response,
It's acceptable to run icacls commands on folders & files which your installation created. Doing so on any other folder is considered a security breach (and some defensive software are able to detect and prevent it).
However, at least in corporate environment, I would advise against hard-coded SID, unless there is a really good reason (e.g. a user or group which your installation creates by itself).
Instead, the setup should present a dialog allowing to specify users and/or groups (local ones and, if applicable, domain ones) to which the permissions will be applied (effectively, those who can run the application).
You can use the SdLogonUserBrowse() function for this purpose.