Update fails on some machines (SeSecurityPrivilege)

Hi,

I'm using wyUpdate in one of our products and in general it works fine. But on some rare occasions the automatic update fails.

Specifically I had a customer today that got the error message "The process does not possess the 'SeSecurityPrivilege' privilege which is required for this operation." (actually he got a localized version of this string but I think the English is more useful for you).

Some details about the machine and other relevant parts:- running Windows XP (Professional with SP3 installed he said, but I didn't check that)- the program is installed on a mapped network drive (no UNC path)- the logged on user has admin privileges (but according to our customer he also tried to update with the "original" admin user logged on with the same result)- as far as I know the updater does not prompt for any elevation (not 100% sure about this since I didn't saw the error occuring live)- wyUpdate version was 2.6.14- manual update (aka copy and paste of the files) is working fine

I didn't want to bother our customer with getting more information about the updater error so I directly installed the update manually. Hope the given information still is enough for reproducing this error.

Then I had two other update errors but that's more than a year ago so I don't have that much details about it.

The first one is a error message that says "Attempted to perform an unauthorized operation." That was on a XP machine too. Unfortunately I don't have any further details about this. Don't know if elevation was prompted before updating or not.Then I had another case with the SeSecurityPrivilege error message. In that case the program was installed in a citrix server environment and the client maschine was on Windows XP.

I found some other threads about the SeSecurityPrivilege error and apparently this should have been fixed. What could this be?

Hope you can reproduce and fix this error. Thanks in advance!

- Andreas

Hey Andreas,

This error is always caused by a user given some minor folder permissions, bypassing the normal elevation sequence that wyUpdate takes, and then seeing this error.

The error is caused by wyUpdate unable to set the ACL settings for files & folders.

The solution is to do one of 2 things:

  1. Use a real admin user to install the updates (and not a partially elevated user or a user with special permissions).
  2. Install your app to a folder the user has full control over (e.g. %appdata%, Desktop, etc.)

Hey Sam,

thank you for this information. So you say this is not a bug in the updater but a misconfiguration of the user account.

But then it's hard to me to explain to an ordinary end-user why the automatic update fails while he can copy and "update" the files manually. From a technical point of view I understand why the update fails but the user doesn't.

Well, I'll inform the user about this problem and hope his administrator can fix the user permissions.

But then it's hard to me to explain to an ordinary end-user why the automatic update fails while he can copy and "update" the files manually.

The problem is that whoever gave only partial elevation to a user. It seems like a good idea but is always harder than it seems. For instance, you have a simple case where you're only updating some files and you only run into the ACL error (that is, the limited user doesn't have read/write permissions on ACL for files and folders).

But the problem of an admin giving "faux admin" permissions to a limited user has much larger problems. Registry, start & stopping services, executing exes with an admin privlege, registering COM dlls, etc, etc, etc.

The short answer is that administrators shouldn't try to make an admin out of a limited user unless they understand all the subtleties.

That sounds logical, yes.

Does the updater check if the user has permissions to write to the ACL? Because for me it looks like it doesn't because there was no prompt for elevation. So for the user it seems like the update should succeed.

Anway, I'll try to make some tests with this customer as soon I get the time.

Does the updater check if the user has permissions to write to the ACL? Because for me it looks like it doesn't because there was no prompt for elevation. So for the user it seems like the update should succeed.

wyUpdate checks if the user is an admin or not. If the user is not an admin it asks for elevation. There are ways to bypass this, and that sounds like what the user has done.

This is an old thread but I'm running into the same issue. I think the bottom of it is this: "the program is installed on a mapped network drive (no UNC path)". We do dev off a network drive and we get the same kind of message when we try to autoupdate directly on the network drive. I'm not an admin but it might be valid to **not** have access to the file's ACL on a network drive. It's probably a pretty common scenario in enterprises, also. When the application is installed on a local drive (same computer), auto update works fine.

Reply
Discard post