Sorry for the spam... > -----Original Message----- > From: Konstantin Preißer [mailto:kpreis...@apache.org] > Sent: Wednesday, December 18, 2013 8:00 PM > To: 'Tomcat Users List' > Subject: RE: Some security-related questions / enhancements for the > Windows Installer > > > > -----Original Message----- > > From: Konstantin Preißer [mailto:kpreis...@apache.org] > > Sent: Wednesday, December 18, 2013 6:24 PM > > > > - the user group "Administrators" is the name in English. In other > > > locales, > it > > is > > > different (French : Administrateurs; German : Administratoren; Spanish: > > > Administratores, > > > etc.). That can be overcome, but also would complicate the installer. > > > > OK, but I'd think there is a way to use non-local names when modifying file > > ACLs (or at least get the localized name). > > It works e.g. with icacls.exe, but I haven't tried WinAPIs. > > I was able to grant the "NetworkService" user full access to the folder > "C:\testfolder" and subdirectories/files with any of the following commands > (on a german Windows Server 2012 R2): > 1) icacls testfolder /grant NetworkService:(OI)(CI)(F) > 2) icacls testfolder /grant *S-1-5-20:(OI)(CI)(F) > 3 icacls testfolder /grant Netzwerkdienst:(OI)(CI)(F) > > 1) uses the non-local name "NetworkService". > 2) uses the numeric SID for NetworkService as described at [1] which is > identical on each windows system. However, this SID is only available since > Windows Vista and Server 2008.
Sorry, that was wrong - I misread the "Note Added in Windows Vista and Windows Server 2008" description, it belongs to another SID. The SID S-1-5-20 for the NetworkService (and related SIDs) also work in Windows Server 2003. > 3) uses a localized account name. > > > So I think localized account names shouldn't be an issue for the installer > (but > I'm nut sure running icacls.exe is the best way for an Installer to set file > permissions - I haven't checked how that works e.g. with WinAPIs). > > Note however, that using "Administrators" with icacls.exe didn't work for me > (the localized name "Administratoren" worked), but the numeric SID of > Administrators, S-1-5-32-544, did work. It also did not work for me with "Local Service", whereas "S-1-5-19" or "Lokaler Dienst" worked. > > [1] http://support.microsoft.com/kb/243330/en-us Regards, Konstantin Preißer --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
