Add permissions to a folder

Questions about WAPT Packaging / Requests and help regarding Wapt packages.
Forum Rules
Community Forum Rules
* English support on www.reddit.com/r/wapt
* French community support is available on this forum
* Please prefix the topic title with [RESOLVED] if it is resolved.
* Please do not edit a topic that is tagged [RESOLVED]. Open a new topic referencing the old one.
* Specify the installed WAPT version, full version, and build number (2.2.1.11957 / 2.2.2.12337 / etc.) as well as the Enterprise/Discovery edition.
* Versions 1.8.2 and earlier are no longer supported. The only questions accepted regarding version 1.8.2 are related to upgrading to a supported version (2.1, 2.2, etc.).
* Specify the server OS (Linux/Windows) and version (Debian Buster/Bullseye - CentOS 7 - Windows Server 2012/2016/2019).
* Specify the OS of the administration/package creation machine and the machine with the problematic agent, if applicable (Windows 7/10/11/Debian 11/etc.).
* Avoid asking multiple questions when opening a topic, otherwise it may be ignored. If there are multiple topics, open separate topics, preferably one after the other and not all at the same time (i.e., do not spam the forum).
* Include code snippets, screenshots, and other images directly in the post. Links to Pastebin, Bitly, and other third-party sites will be systematically removed.
* As with any community forum, support is provided voluntarily by members. If you require commercial support, you can contact Tranquil IT's sales department at 02.40.97.57.55
Locked
User avatar
Gaetan
Messages: 169
Registration: August 8, 2019 - 10:16
Location: Toulouse

June 25, 2020 - 4:46 PM

Hello everyone,
During the installation of certain software, the end user will need permissions on the folder.
However, in a context where the user is not an administrator, this poses a problem.

The solution I use is as follows:
- a package that installs a PowerShell module (which is therefore made a dependency of the software)
- a script to change the permissions.

Rights are given on 1 specific folder, for authenticated users (can be changed by any other group).

The PowerShell module is NTFSSecurity, available here: https://gallery.technet.microsoft.com/s ... dbb2b84e85

The package used to install it contains this code:

Code: Select all

# -*- coding: utf-8 -*-
from setuphelpers import * 

uninstallkey = []

targetPWSH = makepath(programfiles,'WindowsPowerShell\Modules\NTFSSecurity')
folderPWSH = 'NTFSSecurity'

def install():

    #copie du module Powershell
    if (isdir(targetPWSH) != True) :
        mkdirs(targetPWSH)
        copytree2(folderPWSH,targetPWSH)
The PowerShell script used is as follows:

Code: Select all

#Autorisation d'accès au dossier pour les utilisateurs loggés
Install-Module NTFSSecurity
$Path = "CHEMIN DU DOSSIER POUR LES DROITS"

#Désactivation de l'héritage
Get-Item $Path | Disable-NTFSAccessInheritance
Add-NTFSAccess –Path $Path -Account "Utilisateurs authentifiés" -AccessRights FullControl
In the WAPT package, you simply need:
- To make your NTFSSecurity installation package a dependency,
- Place a .ps1 file with the PowerShell code at the top,
- Run the script in your def install() function with the command:

Code: Select all

run('powershell.exe -NoProfile -NonInteractive -executionpolicy bypass -File FICHIER.ps1')
Hopefully this helps.
High
nliaudat
Messages: 29
Registration: August 8, 2019 - 8:31 AM

June 25, 2020 - 5:05 PM

Or there's the good old iCalcs method:

#https://support.microsoft.com/fr-fr/hel ... ng-systems

Code: Select all

    print('Restricting permissions')
    run(r'icacls.exe "%s" /inheritance:d' % install_dir)
    run(r'icacls.exe "%s" /remove:g "*S-1-5-32-545" /t /c /q' % install_dir) #user
    run(r'icacls.exe "%s" /remove:g "*S-1-5-11" /t /c /q' %  install_dir) #authenticated user
    run(r'icacls.exe "%s" /remove:g "*S-1-5-1" /t /c /q' %  install_dir) #remote
    run(r'icacls.exe "%s" /remove:g "*S-1-1-0" /t /c /q' %  install_dir) #everybody
High
User avatar
Gaetan
Messages: 169
Registration: August 8, 2019 - 10:16
Location: Toulouse

June 26, 2020 - 09:18

Thanks for the info =)
Does it work well when inheritance is present?
High
nliaudat
Messages: 29
Registration: August 8, 2019 - 8:31 AM

June 26, 2020 - 09:42

Perfectly:

Code: Select all

  iCACLS.exe /inheritance:e|d|r
          e - Enable inheritance
          d - Disable inheritance and copy the ACEs 
          r - Remove all inherited ACEs
High
User avatar
Gaetan
Messages: 169
Registration: August 8, 2019 - 10:16
Location: Toulouse

June 26, 2020 - 09:53

Thanks so much.
I'll try that, it'll be simpler. ;)
High
User avatar
Gaetan
Messages: 169
Registration: August 8, 2019 - 10:16
Location: Toulouse

July 1, 2020 - 10:57

It works for me, thanks for the tip ;)

I used it like this:

Code: Select all

run(r'icacls.exe "%s" /inheritancelevel:d /grant *S-1-5-11:(M) /t /C /q' %  TargetLogiciel)
High
Locked

Return to “WAPT Packages”


  • To go further with WAPT