Not familiar with MSI details but I hope any changes won't be a problem for SPP which is useful because it *doesn't* require special permissions---just enough to create the folder...
--Chris On Thu, May 15, 2014 at 1:25 PM, Jan Dubois <j...@activestate.com> wrote: > On Thu, May 15, 2014 at 8:35 AM, kmx <k...@atlas.cz> wrote: > > it says that PATH contains directories (c:\strawberry\c\bin > > c:\strawberry\perl\site\bin c:\strawberry\perl\bin) which are writable by > > too wide group of users (built-in Users or even Authenticated Users). > [...] > > I feel that our MSI should probably set some filesystem ACL on > C:\strawberry > > (which is supported by WiX Toolset we use for MSI creation) but I am not > > sure what it should be (e.g. Administrators+SYSTEM/FullControl, > > Users/Read+Execute ?). Any ideas or preferably experiences with building > MSI > > are welcome. > > The problem is that if you set a more restrictive ACL, then you will > always need to run from an elevated shell to install additional > modules from CPAN. So you have to make a choice between convenience > and security. My personal opinion: setting a restrictive ACL makes > sense on a server, but not on a user's desktop. > > Cheers, > -Jan >