You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
MSI installer strips inherited "ALL APPLICATION PACKAGES" ACE from install directory
Description
The Windows MSI installer sets an explicit DACL on C:\Program Files\nodejs via the SetInstallDirPermission component in product.wxs, which replaces the inherited ACL from C:\Program Files. This removes the ALL APPLICATION PACKAGES (SID S-1-15-2-1) ACE that is normally inherited by all subdirectories under C:\Program Files.
Current behavior
The WiX <Permission> element maps to the MSI LockPermissions table, which replaces the entire DACL rather than merging with inherited ACEs. The current configuration only grants access to four principals:
# Other Program Files subdirectories have ALL APPLICATION PACKAGES
icacls "C:\Program Files\dotnet"# ... APPLICATION PACKAGES:(OI)(CI)(RX) ...# Node.js does not
icacls "C:\Program Files\nodejs"# Only shows Users, Authenticated Users, Administrators, SYSTEM
Expected behavior
The nodejs directory should have the same ALL APPLICATION PACKAGES read/execute ACE that other C:\Program Files subdirectories inherit, allowing AppContainer-sandboxed processes to access Node.js.
Impact
Processes running in an AppContainer sandbox (e.g., UWP apps, sandboxed browser processes, and other packaged applications) cannot read or execute files under C:\Program Files\nodejs. This can cause failures when sandboxed processes need to invoke node.exe or resolve Node.js modules.
Suggested fix
Replace the <Permission> elements (which use the LockPermissions table and replace the DACL) with <PermissionEx> using an SDDL string that includes the ALL APPLICATION PACKAGES SID, or add a <Permission> entry for ALL APPLICATION PACKAGES. For example, using SDDL:
MSI installer strips inherited "ALL APPLICATION PACKAGES" ACE from install directory
Description
The Windows MSI installer sets an explicit DACL on
C:\Program Files\nodejsvia theSetInstallDirPermissioncomponent inproduct.wxs, which replaces the inherited ACL fromC:\Program Files. This removes theALL APPLICATION PACKAGES(SIDS-1-15-2-1) ACE that is normally inherited by all subdirectories underC:\Program Files.Current behavior
The WiX
<Permission>element maps to the MSILockPermissionstable, which replaces the entire DACL rather than merging with inherited ACEs. The current configuration only grants access to four principals:You can verify this by comparing the ACLs:
Expected behavior
The
nodejsdirectory should have the sameALL APPLICATION PACKAGESread/execute ACE that otherC:\Program Filessubdirectories inherit, allowing AppContainer-sandboxed processes to access Node.js.Impact
Processes running in an AppContainer sandbox (e.g., UWP apps, sandboxed browser processes, and other packaged applications) cannot read or execute files under
C:\Program Files\nodejs. This can cause failures when sandboxed processes need to invokenode.exeor resolve Node.js modules.Suggested fix
Replace the
<Permission>elements (which use theLockPermissionstable and replace the DACL) with<PermissionEx>using an SDDL string that includes theALL APPLICATION PACKAGESSID, or add a<Permission>entry forALL APPLICATION PACKAGES. For example, using SDDL:Where
ACis the well-known SDDL abbreviation forALL APPLICATION PACKAGES(S-1-15-2-1).Environment