 |
|
|
|
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On 28/07/2010 17:24, scott wrote:
>> I see many programs that install without admin rights.
>
> That is not approved by MS though (hence they won't pass the Windows Logo
> tests, binaries won't be protected, it could go all screwy if the user
> profile is on a network resource, the installer might not work with
> future Windows updates/versions, etc).
Since you're such an expert, I suggest you write to the Windows Installer
Team and tell them that they ought to stop promoting this sort of behavior
then:
----------------------------------------------
Question: Can a non-admin user run an msi?
Answer: If you only install to locations where non-admins users have
privileges, then the answer is easy: yes.
If you install to locations such as program files or HKLM, then the answer
is -- they can with MSI if the package has been blessed by an admin to run
elevated. Otherwise attempts by the non-admin to write to program files are
going to fail. And additionally, a package can't self-elevate -- that would
be a security issue.
For the latter case, consult the documentation on MSDN: Installing a
Package with Elevated Privileges for a Non-Admin. This is basically what
Group Policy and SMS are for.
------------------------------------------------
This is at
http://blogs.msdn.com/b/windows_installer_team/archive/2005/08/01/451337.aspx,
and is what I've been saying all along: group policy sets install policy.
Here's some more info on installation, not that I expect you to read it as
you're already an expert, but for others following the thread it may be of
interest:
http://msdn.microsoft.com/en-us/library/Aa369519
http://support.microsoft.com/kb/259459
http://forum.installsite.net/index.php?showtopic=6753
I'll also refer to this Microsoft documentation page:
http://msdn.microsoft.com/en-us/library/aa369784.aspx
and in particular to this:
http://msdn.microsoft.com/en-us/library/aa368304.aspx
which documents how administrators may use group policy to prevent
installation of non-elevated software (such as POV-Ray's MSI) but still
allow elevated installs, and this:
http://msdn.microsoft.com/en-us/library/aa368309.aspx
which allows the admin to block per-user installs (which again applies to
POV-Ray's MSI).
Fundamentally, your accusation that we somehow are conspiring to bypass
admin control of corporate systems is nonsense. If we wanted to do that, we
would definitely NOT use the MSI install system, as it's designed
explicitly to provide such controls.
-- Chris
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On 28/07/2010 19:21, scott wrote:
>> I challenge you to find a *current* Microsoft installation standard that
>> states that users without admin rights *may not install software at all*.
>
> See the link to the PDF I posted already. It clearly states that
> applications should be installed in to "Program Files" by default. The POV
> installer does not do this.
You avoided answering the question. I asked you to show me something that
says non-elevated installs 'may not install software at all', you answered
with something about 'program files'. This is not the same thing.
I'll ask you again: find me a document that - as you claim - explicitly
states that it is wrong for a MSI setup to not require admin privileges.
-- Chris
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
>>> I challenge you to find a *current* Microsoft installation standard that
>>> states that users without admin rights *may not install software at
>>> all*.
>>
>> See the link to the PDF I posted already. It clearly states that
>> applications should be installed in to "Program Files" by default. The
>> POV
>> installer does not do this.
>
> You avoided answering the question. I asked you to show me something that
> says non-elevated installs 'may not install software at all', you answered
> with something about 'program files'. This is not the same thing.
Obviously msi installers can install software without admin rights (as POV
does), so such a document won't exist. However to install to the correct
location (Program Files) it seems you do need admin rights, which is why
normally when you install a program without admin rights it asks you for
them.
Contrary to your belief, I am not an expert at writing installers (nor do I
wish to become one), I am just a user who is wondering why POV feels the
need to be different to other installers. Why can't it just install
"normally" like every other piece of software I use?
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Le 28/07/2010 12:01, scott nous fit lire :
> Contrary to your belief, I am not an expert at writing installers (nor
> do I wish to become one), I am just a user who is wondering why POV
> feels the need to be different to other installers. Why can't it just
> install "normally" like every other piece of software I use?
It's not because you are used to 'old' pieces software which did in fact
offer no choice (back to the W3.1/W95/... time) but to install in
'Program Files' (sometime even hard-coded, so when installing on foreign
windows version, you still end up with some in C:\Program Files\,
despites a translated name does exist), that such bad behaviour must
continue.
Recommendations for installation (*) are now to offer a system/user only
installation (well, the choice might be implicit by the right the
running user has or has not). For system wide installation, Program
Files is fine; but for user-only, it should end in the user's folder.
(*): I would have to cite msdn website and the various certification
programs (I'm more familiar with the pain of making drivers for windows,
especially to now have them install in x86_64 & Itanium with all the new
mandatory cryptography, but the unpriviledged software has also its
certification paths, if you want to apply to that kind of label).
Could you please provide a list of your other pieces of software that
you use ? (so I can check if they are not out-dated / non-conformant by
themselves to the installation rules for 7/Vista/2008/2008R2/XP ? They
might very well be designed for older windows)
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On 28/07/2010 20:01, scott wrote:
> Obviously msi installers can install software without admin rights (as POV
> does), so such a document won't exist. However to install to the correct
> location (Program Files) it seems you do need admin rights, which is why
> normally when you install a program without admin rights it asks you for
> them.
Yes, and as Microsoft recommends (in fact, *pushes*) authors to write
installers that do NOT require admin rights, POV-Ray chooses to install
outside of program files by default.
> wish to become one), I am just a user who is wondering why POV feels the
> need to be different to other installers. Why can't it just install
> "normally" like every other piece of software I use?
Your prior comments implying we were assisting users in bypassing corporate
security restrictions seemed to me to be more than a user who was wondering
about the install location. You were outright rude.
Many programs to this day still stick with the old program files location,
even if it means getting a UAC prompt. One of the most hated features of
Vista was the constant unneeded UAC prompts. We chose to create an
installer that was UAC-prompt free. It installs smoothly and without
hassle. In other words, it gives the *majority* of users a better experience.
If, however, a user wishes to install the 3.7 beta to \program files, they
are quite welcome to. It's simple:
Run it without elevation and it defaults to the user profile dir.
[This makes sense as they can't install to program files.]
Run it with elevation and they are offered an option to install as one
user or for all users. If they choose all users, it installs to
\program files.
[This make sense since as an elevated install, they are given the option]
I don't see why this is so much of an issue to you. If you don't like the
place it installs, why not run it with elevation and be done with it,
instead of whining here and accusing us of nefarious intentions?
-- Chris
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
> Your prior comments implying we were assisting users in bypassing
> corporate
> security restrictions seemed to me to be more than a user who was
> wondering
> about the install location. You were outright rude.
Sorry if it appeared rude, it wasn't my intent, my comments were in response
to the post about allowing students to bypass security restrictions and
people installing it in their lunch hour.
> Run it without elevation and it defaults to the user profile dir.
> [This makes sense as they can't install to program files.]
Is this recommended from MS? Other programs seem to ask for admin rights if
you run them as non-admin.
> Run it with elevation and they are offered an option to install as one
> user or for all users. If they choose all users, it installs to
> \program files.
> [This make sense since as an elevated install, they are given the option]
Any reason why the default isn't in to program files in this case?
> I don't see why this is so much of an issue to you.
Just trying to understand why POV feels the need to be different to what
most people have grown to expect.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On 28/07/2010 11:35 AM, Chris Cason wrote:
> Your prior comments implying we were assisting users in bypassing corporate
> security restrictions seemed to me to be more than a user who was wondering
> about the install location. You were outright rude.
To calm it down a bit, I thought it was me that Scott was having a pop
at, not the PovRay development team. I understood his post to mean that
being able to install without admin rights was not there so I could use
PovRay on a work machine.
Although it is very handy that I can on a lot of machines. I move around
from company to company in my work and although there are a few
companies that lock their machines down so tight that you almost need a
password to open the CD drive. Most are content not to give you admin
about companies where you need security clearance to work.
--
Best Regards,
Stephen
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
> Is this recommended from MS? Other programs seem to ask for admin
> rights if you run them as non-admin.
Does this make them right and us wrong? Or are we just ahead of the curve
for wanting to provide a better end-user experience? The fact is most end
users don't care where the software sits, as long as when they click the
launch icon, it starts. UAC prompts are annoying and unnecessary for most
cases. If POV doesn't need admin rights to run, it shouldn't need them to
install, except in the case for an 'all users' installation.
The fact is Microsoft are moving away from the 'central installation
location' model. We have chosen to deal with that rather than fight it as I
don't want to have to re-write the installer in two years time. This is
volunteer work and I simply don't have the time or inclination.
I'm not saying my choice of exact default install location is right or
wrong. I am saying that my choice to install outside of program files - for
our application and in non-all-users mode - is neither incorrect nor
against proper practices.
The fact is Microsoft has left the 'proper' place for such installs to be
rather nebulous. Possibly I might change to the compatibility folder
location for program files, which would make it *look* like it's in program
files, even though it actually isn't ...
FYI if you look at Microsoft's 'Click Once' installation mechanism (which
is an alternative to MSI's for certain types of applications), you'll see
that they don't install into Program Files at all:
http://msdn.microsoft.com/en-us/library/142dbbz4%28VS.90%29.aspx
Quote:
The application is added to the user's Start menu and to the Add or
Remove Programs group in the Control Panel. Unlike other deployment
technologies, nothing is added to the Program Files folder, the
registry, or the desktop, and no administrative rights are required for
installation
This is the way they are pushing the industry, because the old model of
stuffing things into the registry and common file locations has shown, over
the years, that it is a liability. (We still use the registry, but
we aren't dependent on it - it's possible to run POV-Ray for Windows
without any registry entries, using the 'inferred install location' feature).
> Any reason why the default isn't in to program files in this case?
Just because someone is running elevated doesn't mean they want to install
for all users. It's not too hard to click the 'all users' radio button is
it? Sure, I could change the default, but is it such a big deal?
> Just trying to understand why POV feels the need to be different to what
> most people have grown to expect.
LOL, so we should stay the same forever? Expectations change, Microsoft is
driving this change, and as per usual, developers such as myself have to
take the flack from end-users who want to complain about it. It took me
some time to get around to fixing the installer so it worked under vista
*at all* (this was a total re-write using a new tool), so having done it
once, I don't want to do it again.
The fact is the installation model for windows is changing, if you don't
like it then by all means keep using outdated software or just don't use
POV-Ray.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Just a followup for reference in case this issue comes up again: I have
come across an article referencing some of the issues raised in this thread
with respect to Windows Installer 5.0, which has explicit support for
dual-mode installs (at least for windows 7 and higher).
http://msdn.microsoft.com/en-us/library/dd408068%28VS.85%29.aspx
This at least makes it easier for me to cater for both scenarios.
Microsoft has also apparently realized that it was a bit confusing not to
have defined a program files equivalent under the user's profile, so now
there is one: by default, it's C:\Users\<username>\AppData\Local\Programs
(see the above article for reference to this, where they state "When a user
installs the dual-purpose package on Windows 7 or Windows Server 2008 R2
using the per-user context, these components are saved in the Programs
folder of the current user (for example at %LocalAppData%\Programs) and can
be accessed only by that user.")
I think that pretty much answers the 'where to put it' issue for non-admin
installs, as this is now an officially 'blessed' location (and in AppData
to boot). While the above support only applies to Windows 7/Server 2008,
the location itself can be created (if it doesn't already exist) under
Vista by the installer itself.
I suspect it should also put to rest the complaints (I will point out that
this is not by any means the first thread complaining about the install
location) of any who have claimed that AppData is not for executable files
and/or that I eat babies for breakfast because I chose to use it rather
than good ol 'c:\program files'.
(Did I mention I also got roasted by another group of expert users for
moving to c:\program files from c:\povray when Windows 95 was introduced?
Deja vu. Hopefully this won't happen again in another 15 years. No, I'm not
bitter at all. Not in the least. Just jaded :-)
-- Chris
PS FWIW a little research shows that Google got blasted by users for doing
a similar thing with Chrome and Google Talk. So at least I'm not alone.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
"Chris Cason" <del### [at] deletethistoo povrayorg> schreef in
bericht news:4c50e88b@news.povray.org...
> (Did I mention I also got roasted by another group of expert users for
> moving to c:\program files from c:\povray when Windows 95 was introduced?
> Deja vu. Hopefully this won't happen again in another 15 years. No, I'm
> not
> bitter at all. Not in the least. Just jaded :-)
Keep up the good work, Chris, we are behind you :-)
Thomas
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
|
|
