win,msi: set install directory permission

Explicitly set permission for Windows install directory.

Refs: https://hackerone.com/reports/1211160
PR-URL: nodejs-private/node-private#269
Reviewed-By: Matteo Collina <[email protected]>
Reviewed-By: Richard Lau <[email protected]>
Reviewed-By: Rich Trott <[email protected]>

Author: kumarak

tools/msvs/msi/product.wxs

@@ -46,6 +46,13 @@
     <Property Id="ApplicationFolderName" Value="nodejs"/>
     <Property Id="WIXUI_INSTALLDIR" Value="INSTALLDIR"/>
 
+    <!-- PropertyRef of the account users for setting InstallDir permission explicitly -->
+    <Property Id="AUTHENTICATED_USERS" Value="Authenticated Users"/>
+
+    <PropertyRef Id="WIX_ACCOUNT_LOCALSYSTEM" />
+    <PropertyRef Id="WIX_ACCOUNT_USERS" />
+    <PropertyRef Id="WIX_ACCOUNT_ADMINISTRATORS" />
+
     <Property Id="INSTALLDIR" Secure="yes">
       <RegistrySearch Id="InstallPathRegistry"
                       Type="raw"
@@ -73,6 +80,7 @@
       <ComponentRef Id="NodeStartMenu"/>
       <ComponentRef Id="AppData" />
       <ComponentRef Id="InstallToolsBat" />
+      <ComponentRef Id="SetInstallDirPermission" />
       <ComponentGroupRef Id="Product.Generated"/>
 
       <Feature Id="NodeEtwSupport"
@@ -93,6 +101,7 @@
       <ComponentRef Id="NpxBashScript"/>
       <ComponentRef Id="NpmConfigurationFile"/>
       <ComponentRef Id="AppData" />
+      <ComponentRef Id="SetInstallDirPermission" />
       <ComponentGroupRef Id="NpmSourceFiles"/>
     </Feature>
 
@@ -169,6 +178,20 @@
       <?endif?>
     </DirectoryRef>
 
+    <DirectoryRef Id="INSTALLDIR">
+      <!-- Create component for setting the install directory permission explicitly -->
+      <Component Id="SetInstallDirPermission" Guid="{EFFC4F74-183A-4237-BBD7-0CAD2B950053}">
+        <CreateFolder>
+          <Permission User="[WIX_ACCOUNT_USERS]" GenericRead="yes" Traverse="yes" GenericExecute="yes" Synchronize="yes"
+                      GenericWrite="no" WriteAttributes="no" WriteExtendedAttributes="no"/>
+          <Permission User="[AUTHENTICATED_USERS]" GenericRead="yes" Traverse="yes" GenericExecute="yes" Synchronize="yes"
+                      GenericWrite="no" WriteAttributes="no" WriteExtendedAttributes="no"/>
+          <Permission User="[WIX_ACCOUNT_ADMINISTRATORS]" GenericAll="yes"/>
+          <Permission User="[WIX_ACCOUNT_LOCALSYSTEM]" GenericAll="yes"/>
+        </CreateFolder>
+      </Component>
+    </DirectoryRef>
+
     <DirectoryRef Id="ApplicationProgramsFolder">
       <Component Id="NodeStartMenu">
         <!-- RegistryValue needed because every Component must have a KeyPath.