Inno Setup and Permissions for non-admins: everyone, users, or authusers?

11,888

You're going the wrong way! Don't store your application data under %PROGRAMFILES%! Use the directory which is intended for this: CSIDL_APPDATA

Consult Microsoft, if you want to have more informations about the security identifiers.

Share:
11,888
MarcoB
Author by

MarcoB

Developer at Micrologus.com Musician Training Center software

Updated on June 04, 2022

Comments

  • MarcoB
    MarcoB over 1 year

    Should I give "modify" permissions to 'everyone' or 'users' or 'authusers' if, under UAC, I want to make data folders and files writable to non-admin users of the program?

    I want that basically everyone who can sit at the computer can read/write the data through the program. I've also read that using 'everyone' for modify permission can open a security hole over the network. What is the difference between everyone, users, and authusers? What are the security implications?

    Implementation details for InnoSetup follow:

    Using InnoSetup, I install an EXE in a standard Program Files subfolder, and a Data subfolder within it, like this:

    C:\Program Files\My Prog\Prog.exe
    C:\Program Files\My Prog\Data\MyData.dat

    Now, to make it so that MyData.dat can be modified by Prog.exe even if Prog.exe is launched by a non-admin users, I give "modify" permissions to the subfolder "Data" with this line:

    [Dirs]  
    Name: "{app}\Data"; Permissions: everyone-modify;  
    ;This is the question: should I use users or authusers instead of everyone?  
    
    [Files]  
    Source: "MyProg.exe"; DestDir: "{app}"; Flags: replacesameversion;  
    Source: "MyData.dat"; DestDir: "{app}\Data"; Flags: replacesameversion; 
    

    This question is similar to 2686918 but I didn't find enough info there about the types of permissions, hence this new one. I'll update that question after clarifying this one.

    InnoSetup in particular defines these groups:

    • admins Built-in Administrators group
    • authusers Authenticated Users group
    • everyone Everyone group
    • powerusers Built-in Power Users group
    • system Local SYSTEM user
    • users Built-in Users group

    Which of those is the nearest to "any user who is sitting at the machine, admin, non-admin, or whatever, but nobody who is accessing the machine from networks"?