You are viewing a plain text version of this content. The canonical link for it is here.

Posted to docs@httpd.apache.org by "William A. Rowe, Jr." <wr...@rowe-clan.net> on 2007/08/21 05:37:38 UTC

Re: help with Vista UAC issues [was: Looking for Vincent Bray]

Jon Schwartz (NT) wrote:
> Vincent,
> 
> I own UAC and should be able to help you with the issues you listed here:
> 
> http://wiki.apache.org/httpd/WindowsVistaPlatform?highlight=%28Vista%29

The crux of the bug is that the

  [installpath]\conf\*

tree is propagated by rewriting temporary installs (under %temp%) of the
various config files.

During the install process.  This is done by invoking the awk.exe binary
using a substitution script.  Our trick is that we need to teach the
installer that only \conf\ and \logs\ can be rewritten during install
and operation.

Of course there are other possibilities of using user Documents tree,
but as a system service, this makes a little less sense than usual.

  http://svn.apache.org/repos/asf/httpd/httpd/win32-msi/trunk/

contains the install shield sources of this packaging.  Any helpful tips
would be appreciated, Jonathon.

Best place for this discussion is packagers@ since it's outside the usual
scope of the 'documentation', we'd simply like to get it right for this
installer package (and some other packagers use this same msi packaging).
If you could include packagers@ in your replies, we'll drop docs@ from
the dialog for the moment (except to bring them back good word that it's
been addressed).

FWIW - we can use

http://www.apache.org/dist/httpd/binaries/win32/apache_2.2.4-win32-x86-no_ssl.msi

(as seen through the table view in orca) to discuss it, since the current
installshield format isn't as readable.

Bill

---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org

Re: help with Vista UAC issues [was: Looking for Vincent Bray]

Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.

> From: William A. Rowe, Jr. [mailto:wrowe@rowe-clan.net] 
> 
> Jon Schwartz (NT) wrote:
>> Bill,
>>
>> 	It looks like the issue actually boils down to mismarked custom actions in the package.  Specifically, the following custom actions are marked to run on behalf of the user (i.e., non-elevated), rather than on behalf of the machine (i.e., elevated):
>>
>> 	Custom Action			Current Type			"Promoted" Type (i.e., elevated equivalent)
>> 	----------------------------------------------------------------------------------------------------------------------------------
>> 	SelfRemoveService		1106				3154
>> 	SelfStopService		1106				3154
>> 	InstallConfFiles			1602				3650
>> 	RemovePriorService		1618				3666
>> 	SelfInstallService		1618				3666
>> 	SelfStartService		1746				3794
>> 	StartApacheMonitor		1746				3794
>>
>> 	(Note that SelfStartService and StartApacheMonitor only require elevation since interactive users don't have SERVICE_START permissions on the service)

FYI, I followed all of these changes, but decided to retain StartApacheMonitor,
the user can't be allowed to have that impersonating the localsystem in their
userspace, it's a security consideration because from there, they may launch
the full SCM, connect to remote machines, etc.

Suffice it to say, if they install as-user, and want to administer rather than
just view the world through ApacheMonitor, they will need to grant appropriate
permissions.

Bill

RE: help with Vista UAC issues [was: Looking for Vincent Bray]

Posted by "Jon Schwartz (NT)" <js...@windows.microsoft.com>.

Any time.  Definitely feel free to drop me a line if you end up having UAC-related questions in the future -- I'm always happy to help.

-----Original Message-----
From: William A. Rowe, Jr. [mailto:wrowe@rowe-clan.net] 
Sent: Tuesday, August 21, 2007 10:05 AM
To: Jon Schwartz (NT)
Cc: packagers@httpd.apache.org
Subject: Re: help with Vista UAC issues [was: Looking for Vincent Bray]

Jon Schwartz (NT) wrote:
> Bill,
> 
> 	It looks like the issue actually boils down to mismarked custom actions in the package.  Specifically, the following custom actions are marked to run on behalf of the user (i.e., non-elevated), rather than on behalf of the machine (i.e., elevated):
> 
> 	Custom Action			Current Type			"Promoted" Type (i.e., elevated equivalent)
> 	----------------------------------------------------------------------------------------------------------------------------------
> 	SelfRemoveService		1106				3154
> 	SelfStopService		1106				3154
> 	InstallConfFiles			1602				3650
> 	RemovePriorService		1618				3666
> 	SelfInstallService		1618				3666
> 	SelfStartService		1746				3794
> 	StartApacheMonitor		1746				3794
> 
> 	(Note that SelfStartService and StartApacheMonitor only require elevation since interactive users don't have SERVICE_START permissions on the service)

DOH!

> 	I made these changes to generate the attached MSI transform from the package and verified that the install runs through without any of the "access denied" issues that hit before (i.e., Apache2 service is created, etc).

Thanks for validating.  I'll apply these changes to our packages.  We
appreciate this a ton!

> P.S.  Do you also deal with the ApacheMonitor, or is that a different group/alias?  I'd like to help get that Vista-ready as well.

You'll be glad to know we already picked that up.  No API changes at all,
just a shortsighted 'bail if we don't recognize the Win32 os version'.

We solved that permanently (well, until there is a significant API change ;-)
and it's being rolled out in the next release, already.

Thank you again for your help and detailed review!

Bill

Re: help with Vista UAC issues [was: Looking for Vincent Bray]

Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.

Jon Schwartz (NT) wrote:
> Bill,
> 
> 	It looks like the issue actually boils down to mismarked custom actions in the package.  Specifically, the following custom actions are marked to run on behalf of the user (i.e., non-elevated), rather than on behalf of the machine (i.e., elevated):
> 
> 	Custom Action			Current Type			"Promoted" Type (i.e., elevated equivalent)
> 	----------------------------------------------------------------------------------------------------------------------------------
> 	SelfRemoveService		1106				3154
> 	SelfStopService		1106				3154
> 	InstallConfFiles			1602				3650
> 	RemovePriorService		1618				3666
> 	SelfInstallService		1618				3666
> 	SelfStartService		1746				3794
> 	StartApacheMonitor		1746				3794
> 
> 	(Note that SelfStartService and StartApacheMonitor only require elevation since interactive users don't have SERVICE_START permissions on the service)

DOH!

> 	I made these changes to generate the attached MSI transform from the package and verified that the install runs through without any of the "access denied" issues that hit before (i.e., Apache2 service is created, etc).

Thanks for validating.  I'll apply these changes to our packages.  We
appreciate this a ton!

> P.S.  Do you also deal with the ApacheMonitor, or is that a different group/alias?  I'd like to help get that Vista-ready as well.

You'll be glad to know we already picked that up.  No API changes at all,
just a shortsighted 'bail if we don't recognize the Win32 os version'.

We solved that permanently (well, until there is a significant API change ;-)
and it's being rolled out in the next release, already.

Thank you again for your help and detailed review!

Bill