On Thu, May 15, 2014 at 8:35 AM, kmx <k...@atlas.cz> wrote: > it says that PATH contains directories (c:\strawberry\c\bin > c:\strawberry\perl\site\bin c:\strawberry\perl\bin) which are writable by > too wide group of users (built-in Users or even Authenticated Users). [...] > I feel that our MSI should probably set some filesystem ACL on C:\strawberry > (which is supported by WiX Toolset we use for MSI creation) but I am not > sure what it should be (e.g. Administrators+SYSTEM/FullControl, > Users/Read+Execute ?). Any ideas or preferably experiences with building MSI > are welcome.
The problem is that if you set a more restrictive ACL, then you will always need to run from an elevated shell to install additional modules from CPAN. So you have to make a choice between convenience and security. My personal opinion: setting a restrictive ACL makes sense on a server, but not on a user's desktop. Cheers, -Jan