set root directory permissions on MSI install (kolide#1978)

RebeccaMahany · Dec 5, 2024 · a763112 · a763112
1 parent 3c86480
commit a763112
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 5 deletions.
diff --git a/pkg/packagekit/assets/main.wxs b/pkg/packagekit/assets/main.wxs
@@ -27,6 +27,12 @@
 	InstallPrivileges="elevated"
 	Languages="1033" />
 
+    <!-- these allow us to reference the localized user values for e.g. SYSTEM, BUILTIN\Users.
+          see https://wixtoolset.org/docs/v3/customactions/osinfo/ for additional details/options -->
+    <PropertyRef Id="WIX_ACCOUNT_LOCALSYSTEM" />
+    <PropertyRef Id="WIX_ACCOUNT_ADMINISTRATORS" />
+    <PropertyRef Id="WIX_ACCOUNT_USERS" />
+
     <!-- This holds the files generated by heat -->
     <Media Id='1' Cabinet="go.cab" EmbedCab="yes" CompressionLevel="high" />
 
@@ -40,10 +46,19 @@
     -->
     <Directory Id="TARGETDIR" Name="SourceDir">
       <Directory Id="$(var.Program_Files)">
-	<Directory Id="PROGDIR" Name="Kolide"/>
+        <Directory Id="PROGDIR" Name="Kolide"/>
       </Directory>
       <Directory Id="CommonAppDataFolder">
-	<Directory Id="DATADIR" Name="Kolide"/>
+	    <Directory Id="DATADIR" Name="Kolide">
+            <Component Id="RootDirPermissions" Guid="{{.PermissionsGUID}}">
+              <CreateFolder>
+                <!-- see https://wixtoolset.org/docs/v3/xsd/wix/permission/ for additional details -->
+                <Permission User="[WIX_ACCOUNT_LOCALSYSTEM]" GenericAll="yes"/>
+                <Permission User="[WIX_ACCOUNT_ADMINISTRATORS]" GenericAll="yes"/>
+                <Permission User="[WIX_ACCOUNT_USERS]" GenericRead="yes" GenericExecute="yes"/>
+              </CreateFolder>
+            </Component>
+        </Directory>
       </Directory>
     </Directory>
 
@@ -72,6 +87,7 @@
 	Display="hidden">
       <ComponentGroupRef Id="AppFiles" />
       <ComponentGroupRef Id="AppData" />
+      <ComponentRef Id="RootDirPermissions" />
     </Feature>
 
     <Feature

diff --git a/pkg/packagekit/package_wix.go b/pkg/packagekit/package_wix.go
@@ -80,13 +80,17 @@ func PackageWixMSI(ctx context.Context, w io.Writer, po *PackageOptions, include
 	}
 
 	var templateData = struct {
-		Opts        *PackageOptions
-		UpgradeCode string
-		ProductCode string
+		Opts            *PackageOptions
+		UpgradeCode     string
+		ProductCode     string
+		PermissionsGUID string
 	}{
 		Opts:        po,
 		UpgradeCode: generateMicrosoftProductCode("launcher" + po.Identifier),
 		ProductCode: generateMicrosoftProductCode("launcher"+po.Identifier, extraGuidIdentifiers...),
+		// our permissions component does not meet the criteria to have it's GUID automatically generated - but we should
+		// ensure it is unique for each build so we regenerate here alongside the product and upgrade codes
+		PermissionsGUID: generateMicrosoftProductCode("launcher_root_dir_permissions"+po.Identifier, extraGuidIdentifiers...),
 	}
 
 	wixTemplate, err := template.New("WixTemplate").Parse(string(wixTemplateBytes))