On Thu, May 15, 2014 at 8:35 AM, kmx <k...@atlas.cz> wrote:
> it says that PATH contains directories (c:\strawberry\c\bin
> c:\strawberry\perl\site\bin c:\strawberry\perl\bin) which are writable by
> too wide group of users (built-in Users or even Authenticated Users).
> I feel that our MSI should probably set some filesystem ACL on C:\strawberry
> (which is supported by WiX Toolset we use for MSI creation) but I am not
> sure what it should be (e.g. Administrators+SYSTEM/FullControl,
> Users/Read+Execute ?). Any ideas or preferably experiences with building MSI
> are welcome.
The problem is that if you set a more restrictive ACL, then you will
always need to run from an elevated shell to install additional
modules from CPAN. So you have to make a choice between convenience
and security. My personal opinion: setting a restrictive ACL makes
sense on a server, but not on a user's desktop.