[tex-live] Windows: admin installed vs non-admin installed

Lars Madsen daleif at math.au.dk
Thu Jan 29 17:21:40 CET 2015

I had a chat with one of the windows admins. ACL is the way to go, I think they are going to control it via AD somehow.

I did a test on a standalone win7 just to test it.

The key group is the pseudo group "Authenticated users", on my Win7 it has the same permission as "Users" plus "Allow Write". Removing that "Alow write" is a bit hairy (note that using "Deny write" is not a good idea as then even admin cannot change the files), but here is how I did it in a vertual win7 just as a reference for others

right click on c:\texlive, properties, security

Choose "Authenticated users"

Hit the advaned button

Under the "permissions" tab,  again choose "Authenticated userrs", also

remove the tick mark under "Include inheritable permissions from object's parent" (otherwise we cannot edit it)

now press "Change permissions"

Again choose "Authenticated user" and press "Edit"

For my test I gave "Allow" to the following entries

Traverse folder / execute file
List folder / read data
Read attributes
Read extended attributes
Read permissions

Hit OK/Apply all the way back out.

Now tlmgr can only be executed via run as admin or via admin dos promt, normal users get a read only error.

Seems to be a good solution for computer labs.

/Lars Madsen
Institut for Matematik / Department of Mathematics
Aarhus Universitet / Aarhus University
Mere info: http://au.dk/daleif@imf / More information: http://au.dk/en/daleif@imf

From: tex-live [tex-live-bounces at tug.org] on behalf of Siep Kroonenberg [siepo at cybercomm.nl]
Sent: 28 January 2015 16:04
To: tex-live at tug.org
Subject: Re: [tex-live] Windows: admin installed vs non-admin installed

On Tue, Jan 27, 2015 at 03:16:03PM +0000, Lars Madsen wrote:
> Just playing around on windows (7) a bit.
> I noticed that if I install TL14 with admin rights (run as admin), then a non privileged user cannot start the manager via the start menu
> However, they can use tlmgr from the command line just fine to install extra packages, and they go directly into the C:/texlive/2014/texmf-dist

Yes, this is a loophole. The UAC prompt was only intended for
accidental mishaps, but I can understand that for a computer lab it
is not good enough.

Look at the icacls command-line utility to set the ACL (access
control list) for the TL directory.

Siep Kroonenberg

More information about the tex-live mailing list