Thanks for the details, Rob. It sounds like from you write below that the
security issue exists regardless of whether the files are temporary, correct?
Any time you have an installer that writes files to a disk, then executes them
via a deferred custom action, the vulnerability owuld be there?
In our specific case, the files we're laying down on disk are the DirectX 9.0c
redist files we need, then we execute them at the end of our setup. It sounds
like some tweaks to SfxCA just might do the trick.
Neil
________________________________
From: Rob Mensching
Sent: Friday, May 16, 2008 2:36 AM
To: Neil Enns; wix-users@lists.sourceforge.net
Subject: RE: Temporary files in WiX?
There isn’t anything built into the Windows Installer that supports temporary
files during the install. Thus, you will need a Custom Action to manage the
temporary files. If you’re requiring these temporary files for consumption by
a deferred Custom Action then you have to be very, very careful to avoid an
elevation of privileges (because if the temporary files are placed in a
location writable by the user they could be modified before being executed
elevated).
The WiX toolset doesn’t currently have such a Custom Action but there is a new
Custom Action coming in the next build that might be helpful. If you chose to
write the Custom Action yourself, you can extra binary data out of the MSI
(such as the Binary table) and marshal it over to a deferred Custom Action (in
the CustomActionData property) and write it to a secure location before
executing it. Another option, and the Custom Action that was just added
tonight, is to create something of a “self-extracting DLL” that contains the
deferred Custom Action and all of the temporary files. When the deferred
Custom Action is executed it extracts the contained flies to a secure location
and then does its thing and cleans up when done (or maybe later need the end of
the InstallExecuteSequence). The new CA is called “SfxCA” but there isn’t much
documentation about using it by itself.
Anyway, it isn’t supported natively by MSI and the story isn’t complete in the
WiX toolset. A few people were asking about this same thing the other day so
if you end up with a nice solution it might be a nice thing to add to the WiX
toolset. Maybe just need to create a friendly extension on top of the SfxCA.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Neil Enns
Sent: Thursday, May 15, 2008 15:37
To: wix-users@lists.sourceforge.net
Subject: [WiX-users] Temporary files in WiX?
Is there such a thing as temporary files during a wix install? We’re shipping
some redist installers as part of our installer, and they only need to be on
the end user’s machine for the duration of install. What’s the right way in WiX
to indicate they’re temporary and should be cleaned up after install is
finished?
Thanks!
Neil
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
WiX-users mailing list
WiX-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wix-users
