While this is a great observation, I can't help question the severity of the
concern since:
1) There are about a dozen easier ways to own a Windows box
2) The elevated installation story is hardly used out in the real world.
It's certainly not used in the home space and in the corp space most shops
either a) don't lock down their environments or b) push out their installs with
elevated invocation through tools like SMS.
#2 is evidenced by the fact ( sadly ) that most packages aren't even authored
or tested to support the elevated story. Virtually nobody ( including
Microsoft who's own VDPROJ generates Impersonated Deferred CA's ) bothered to
care about the implications of the `saw tooth diagram` until UAC hit the
streets and even then most people were just looking for a way to get around it
or otherwise cope.
So fine, document the risk and let the person consuming the resource know he
should card against malicious code injection. But don't let that be a reason
for failing to provide a capability that other tools have provided for years.
Rob Mensching <[EMAIL PROTECTED]> wrote:
There isnt anything built into the Windows Installer that
supports temporary files during the install. Thus, you will need a Custom
Action to manage the temporary files. If youre requiring these temporary
files for consumption by a deferred Custom Action then you have to be very,
very careful to avoid an elevation of privileges (because if the temporary
files are placed in a location writable by the user they could be modified
before being executed elevated).
The WiX toolset doesnt currently have such a Custom Action but there is a
new Custom Action coming in the next build that might be helpful. If you chose
to write the Custom Action yourself, you can extra binary data out of the MSI
(such as the Binary table) and marshal it over to a deferred Custom Action (in
the CustomActionData property) and write it to a secure location before
executing it. Another option, and the Custom Action that was just added
tonight, is to create something of a self-extracting DLL that contains the
deferred Custom Action and all of the temporary files. When the deferred
Custom Action is executed it extracts the contained flies to a secure location
and then does its thing and cleans up when done (or maybe later need the end of
the InstallExecuteSequence). The new CA is called SfxCA but there isnt much
documentation about using it by itself.
Anyway, it isnt supported natively by MSI and the story isnt complete in
the WiX toolset. A few people were asking about this same thing the other day
so if you end up with a nice solution it might be a nice thing to add to the
WiX toolset. Maybe just need to create a friendly extension on top of the
SfxCA.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Neil Enns
Sent: Thursday, May 15, 2008 15:37
To: wix-users@lists.sourceforge.net
Subject: [WiX-users] Temporary files in WiX?
Is there such a thing as temporary files during a wix install? Were shipping
some redist installers as part of our installer, and they only need to be on
the end users machine for the duration of install. Whats the right way in WiX
to indicate theyre temporary and should be cleaned up after install is
finished?
Thanks!
Neil
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/_______________________________________________
WiX-users mailing list
WiX-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wix-users
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
WiX-users mailing list
WiX-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wix-users
