Setting permissions on installation

[wingnut]

I feel I must be missing something. I am using a VB.NET Web Deployment project to create a WIndows installer for a VB.NET web application. The installation has to run on Windows 2003 Server. The app can write temporary files, so I need to grant write and read permissions on a "Temp" subfolder of the app's virtual directory to IIS_WPG (the account group under which an ASP.NET app runs).

I don't want to use the Orca tool to tweak the msi, because I'd have to do it every time I rebuilt the deployment project.
Is there no vb way of doing this as one of my custom actions?
Do I have to install ADsSecurity.dll on the target machine and run a vb script?
I could run Cacls.exe if I knew a way to execute it from within my CustomActions.dll.

Any ideas would be very welcome.

Wingnut.

 

[wingnut]

For a while I thought I'd got the solution to this. I was advised to explicitly include a Temporary files subfolder using the File System view of the web deployment project. In its properties it is possible to set AllowWriteAccess to True. However, all this does is set the Write permission in IIS so that PUT requests are allowed. FileIO permission is still needed.

I have had to settle for a solution using Orca, as supplied by Microsoft. Here it is free for anyone else:
"1. I added a websetup project to my web application in Visual Studio.NET and added a subfolder (Temp) to the setup.


2. I created the *.msi file with options Build "Release", Bootstrapper "None" and Compression "Optimized for size" to get just the *.msi without the bootstrapper files (which are present on Win 2000 and higher -> all platforms which support ASP.NET)


3. I edited this msi file with Orca.exe (included in the Windows Installer SDK)

a) I inspected the msi file and went to the table directory

In the right pane you see all directories created during the setup process. You should also see your directory for the Temp folder under the TARGETDIR parent (TEMP|Temp in the msi file). Goto to the column "Directory" and copy the value for your Temp directory "(looks like a cryptic string, in my case it is _7A3DCE8D705B4E81BF76FFA5C8269B42)


b) Go back to the left pane and navigate to the table LockPermissions, in the right pane right click and choose "Add Row"

Enter the following values for the row:

LockObject: _7A3DCE8D705B4E81BF76FFA5C8269B42 (<- the string value as mentioned before)

Table: CreateFolder

Domain: leave empty (no value which is local)

User: NetworkService

Permission: 1074921609 (read write access)

How did I get the permission value ?

See:

HOWTO: Set Permissions Using the LockPermissions Table

ID: 288975.KB.EN-US

http://support.microsoft.com/?id=288975

The permissions that can be set are as follows:

| Privilege constant | Hexadecimal | Decimal |

+=====================+=============+============+

| GENERIC_ALL | 0X10000000 | 268435456 |

+=====================+=============+============+

| GENERIC_WRITE | 0x40000000 | 1073741824 |

+=====================+=============+============+

| GENERIC_EXECUTE | 0x20000000 | 536870912 |

+=====================+=============+============+

| KEY_READ | 0x00020019 | 131097 |

+=====================+=============+============+

| FILE_GENERIC_READ | 0x01020089 | 1179785 |

+=====================+=============+============+



To get read write access add FILE_GENERIC_READ + GENERIC_WRITE = 1179785 + 1073741824 = 1074921609