locked
Files created in VFS by the user have read only permissions RRS feed

  • Question

  • Hello,
    I am currently packaging an application : let's call it 'myapp'. This application is installed in c:\Program Files\myapp (quite classical).
    To run properly, the application needs to have Write Access to c:\Program Files\myapp.
    I am packaging the application with the APPV5 Sequencer SP3 and I checked the option "Allow virtual applications full write permissions to the virtual file system".
    When running the application with APPV5 Client SP3, I see files been created in "C:\Users\%username%\AppData\Local\Microsoft\AppV\Client\VFS\<packageid>\ProgramFilesX64\myapp" and so everything seems to work correctly. The permissions on those files are set to Full Control for the user who has launched the application.
    What I also did is creating 'RunVirtual' registry key in order to run Microsoft Word in the Virtualized Environment of 'myapp' and this works fine also : when I launch WORD, I can save a document in "C:\Program Files\myapp" and this document appears in "C:\Users\%username%\AppData\Local\Microsoft\AppV\Client\VFS\<packageid>\ProgramFilesX64\myapp".
    The strange thing is that the permissions on this DOC file are not the same as the ones set on the other files in the same folder : in fact, the DOC file permissions are set to "Everyone, Read - Read and Execute" (with also permissions the Trusted Installer, Administrators, etc...). So actually, the user who saved the files can never modify it after. This should not be important because it is not a usual location to save Word document but actually, the application itself launches automatically Word to perform some document automation tasks and save temporary files in this location. So when this file has been created once, it cannot never be reused or deleted. This is causing troubles for the application.
    Any idea to force the Full Control permissions on these files ?
    Thanks in advance
    Olivier
    Thursday, April 16, 2015 7:44 AM

Answers

  • Hello,
    After spending a lot of times, i decided to give up with APPV for this application and to install the application from a script launched at the startup of the server. I have tried several solutions, including a powershell script launched from the deployment.config file but I encountered other problems with the "Import-Module NTFSSecurity" and "Import-Module AppvClient" in the PS Script probably because the script is launched with the System account.
    Thanks for your help anyway
    Wednesday, April 22, 2015 7:30 AM

All replies

  • Interesting, I can say I've never seen that, likely due to the fact like you say yourself, it would be unusual to save something to that directory, also most applications these days no longer write to directories other than in C:\ProgramData or in the users own profile.

    I'm honestly not sure of a good way to force that in this situation, unless, perhaps you have a UEM soluion like AppSense. You could have a Powershell script run through the package store and check permissions on the files and then set the persmissions according to the way you want using something like iCacls, SecEdit, SetACL or maybe using Get-ACL and Set-ACL in Powershell...there's a few different methods for doing this, you could pick the one that suits you best.

    If you don't have a UEM solution capable of this, maybe you could use some scripting in your App-V package itself, either on launch or perhaps process exit, you could run a script to do this. It may be better on process exit as it may slow launch times...but it's also better for a script which may take quite a while to process like this to be run outside of any launch or exit, to be honest


    PLEASE MARK ANY ANSWERS TO HELP OTHERS Blog: rorymon.com Twitter: @Rorymon

    Thursday, April 16, 2015 3:08 PM
  • Hello,
    After spending a lot of times, i decided to give up with APPV for this application and to install the application from a script launched at the startup of the server. I have tried several solutions, including a powershell script launched from the deployment.config file but I encountered other problems with the "Import-Module NTFSSecurity" and "Import-Module AppvClient" in the PS Script probably because the script is launched with the System account.
    Thanks for your help anyway
    Wednesday, April 22, 2015 7:30 AM