Bug 872541 - activex "install for all users" is installed for elevated-privileges-user only
Summary: activex "install for all users" is installed for elevated-privileges-user only
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: spice-activex-win
Version: 3.1.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ovirt-3.6.1
: 3.6.1
Assignee: Uri Lublin
QA Contact: SPICE QE bug list
URL:
Whiteboard: spice
: 884887 (view as bug list)
Depends On:
Blocks: 864033
TreeView+ depends on / blocked
 
Reported: 2012-11-02 11:42 UTC by David Jaša
Modified: 2018-12-05 15:41 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-11-23 14:23:30 UTC
oVirt Team: Spice
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 152633 0 None None None Never

Description David Jaša 2012-11-02 11:42:36 UTC
Description of problem:
activex "install for all users" is installed for elevated-privileges-user only

Version-Release number of selected component (if applicable):
spice-client-msi-3.1-6

How reproducible:
always

Steps to Reproduce:
1. have a clean Windows 7 client with two administrator and one user-only accounts
2. log in as a regular user
3. navigate to RHEV-M user portal
4. hit "console" button
5. choose "Install for all users" in the drop-down menu
6. provide credentials to one of the administrator accounts
7. confirm the rest of the installation
8. in _each_ of the three accounts, navigate to the portal again and hit the "console" button
  
Actual results:
only the administrator account whose credentials were provided during installation has the r-v available, other users are prompted with activex installation again

Expected results:
r-v is available for all users

Additional info:
might be related to bug 866601

Comment 1 David Jaša 2012-11-02 11:53:22 UTC
xp are affected, too, but you have to install it as an admin right away because you won't be even able to start activex plugin as a regular user there.

Comment 2 Marc-Andre Lureau 2012-11-02 13:35:55 UTC
(In reply to comment #0)
> Additional info:
> might be related to bug 866601

I don't really see the relation. 866601 just prevents running simultaneously 2 installers or the installer while a client is running. Please consider removing depedency.

Comment 3 Marc-Andre Lureau 2012-11-02 13:37:03 UTC
(In reply to comment #2)
> (In reply to comment #0)
> > Additional info:
> > might be related to bug 866601
> 
> I don't really see the relation. 866601 just prevents running simultaneously

I meant 864033

> 2 installers or the installer while a client is running. Please consider
> removing depedency.

Comment 4 David Jaša 2012-11-02 13:47:06 UTC
(In reply to comment #3)
> (In reply to comment #2)
> > (In reply to comment #0)
> > I don't really see the relation. 866601 just prevents running simultaneously
> 
> I meant 864033
> 
> > 2 installers or the installer while a client is running. Please consider
> > removing depedency.

The relation all depends on the way if per-user and all-users installation of activex and/or remote-viewer can collide. I don't know activex well enough to say it without testing and I can not test it till this bug is fixed, that's why I added the dependency.

Comment 5 Marc-Andre Lureau 2012-11-02 13:54:48 UTC
(In reply to comment #4)
> (In reply to comment #3)
> > (In reply to comment #2)
> > > (In reply to comment #0)
> > > I don't really see the relation. 866601 just prevents running simultaneously
> > 
> > I meant 864033
> > 
> > > 2 installers or the installer while a client is running. Please consider
> > > removing depedency.
> 
> The relation all depends on the way if per-user and all-users installation
> of activex and/or remote-viewer can collide. I don't know activex well
> enough to say it without testing and I can not test it till this bug is
> fixed, that's why I added the dependency.

I don't see the relation: in one case we are talking about concurrent instance & installations. In the other case, we are talking about installing client for all users. What is the link I am missing?

Comment 6 Marc-Andre Lureau 2012-11-02 13:57:55 UTC
(In reply to comment #0)
> Description of problem:
> activex "install for all users" is installed for elevated-privileges-user
> only

Is this "install for all users" an MSI option? If the MSI uses NSIS installer (which I think it does), then this is not supported by the installer and probably won't because of ActiveX limitations: you can't upgrade per-user when there is a global activex/cab. Say good bye to cab and problem is gone.

We made it per-user. Only the USB-clerk is for all users, and can be install by admin.

Comment 7 David Jaša 2012-11-02 14:14:47 UTC
(In reply to comment #5)
> I don't see the relation: in one case we are talking about concurrent
> instance & installations. In the other case, we are talking about installing
> client for all users. What is the link I am missing?

if you have user in one sesion who has activex opened and in the other session another users wants to install/update the activex for the same user, there might be a conflict.

(In reply to comment #6)
> Is this "install for all users" an MSI option?

It is offered by IE: in the "yellow top bar" of IE8 and in the drop-down menu of the "install" button in the bottom bar of IE9. I'm not sure where this is from though.
Actually, in IE8/XP, only "install for all users" is offered for administrators and no option to install it comes up for regular users.

> If the MSI uses NSIS
> installer (which I think it does), then this is not supported by the
> installer and probably won't because of ActiveX limitations: you can't
> upgrade per-user when there is a global activex/cab. Say good bye to cab and
> problem is gone.
> 
> We made it per-user. Only the USB-clerk is for all users, and can be install
> by admin.

No problem with that on my side but then the USB clerk should be distributed separately and activex tweaked to support installation per-user only and without need for privilege elevation.

Comment 8 Marc-Andre Lureau 2012-11-02 14:49:38 UTC
(In reply to comment #7)
> (In reply to comment #5)
> > I don't see the relation: in one case we are talking about concurrent
> > instance & installations. In the other case, we are talking about installing
> > client for all users. What is the link I am missing?
> 
> if you have user in one sesion who has activex opened and in the other
> session another users wants to install/update the activex for the same user,
> there might be a conflict.

No, there shouldn't be since the mutex is per-session. But even if there is, I would prefer we open bugs only when we actually experience them.
 
> (In reply to comment #6)
> > Is this "install for all users" an MSI option?
> 
> It is offered by IE: in the "yellow top bar" of IE8 and in the drop-down
> menu of the "install" button in the bottom bar of IE9. I'm not sure where
> this is from though.
> Actually, in IE8/XP, only "install for all users" is offered for
> administrators and no option to install it comes up for regular users.

Ok, even more fun with the c*ab. I will have to test that too.

> > We made it per-user. Only the USB-clerk is for all users, and can be install
> > by admin.
> No problem with that on my side but then the USB clerk should be distributed
> separately and activex tweaked to support installation per-user only and
> without need for privilege elevation.

I agree the current solution isn't perfect (how could it be with c*ab), but we already agreed with PM for this release. And I don't think we will find the solution in this bug, which really start to look like kitchen-sink. Instead, we should discuss the installer problems (again) in a more general discussion.

Comment 9 David Jaša 2012-11-08 18:55:52 UTC
Bug 874752 created to track the missing per-user installation in XP client.

Comment 10 Marc-Andre Lureau 2012-11-13 11:29:07 UTC
Ok, here is how it goes: it would be nice to be able as admin to install client for all users. However I still don't see how this is possible due to cab/inf limitations. Apparently the InstallScope=user|machine is what controls the yellow-bar menu, but we can't determine which scope was used for the installer to change prefix accordingly. So it looks like we would need 2 cabs one for XP+ or all users (machine) and one for Vista+(user).

fyi, I asked for help on http://stackoverflow.com/questions/13359636/non-admin-activex-and-setup-hooks . I don't know think we should support the dual case, but rather only for current user on Vista+, and all on XP: this already works fine.

I suggest we remove the blocker, get some help on the topic if any, and consider either that dual cab solution or have one more reason to stop that very limited  and fragile cab situation.

Comment 11 David Blechter 2012-11-21 17:52:05 UTC
it is not a blocker, and lower severity. No pm_ack for 2 weeks, so moving from 3.1

Comment 12 David Jaša 2013-03-11 14:28:22 UTC
I think that this bug already deserves a wrap-up:

Windows 7/2008:
  * "install for all users" performs:
    * system-wide installation of usbclerk
    * installation of plugin+client for the user with elevated
      privileges (current user if he has sufficient permissions,
      user you authenticate in RunAs dialog otherwise)
  * "install" installs plugin+client for current user

Windows XP:
  * "install for all users" does what it says - installs everything
    system-wide

Given that usbclerk has to be installed for the whole machine and plugins have to be installed per-user in w7/2k8, the cleanest way to solve this issue is IMO to have a separate installer/msi for usbclerk and the second best way would probably be to have a separate cab for system-wide stuff (usbclerk) and per-user stuff (plugin+client).

See also https://bugzilla.redhat.com/show_bug.cgi?id=857038#c6 .

Comment 13 Marc-Andre Lureau 2013-03-11 14:40:23 UTC
(In reply to comment #12)
> Given that usbclerk has to be installed for the whole machine and plugins
> have to be installed per-user in w7/2k8, the cleanest way to solve this

Why "plugins have to be installed per-user in w7/2k8" ?

Comment 14 David Jaša 2013-03-11 14:45:57 UTC
(In reply to comment #13)
> (In reply to comment #12)
> > Given that usbclerk has to be installed for the whole machine and plugins
> > have to be installed per-user in w7/2k8, the cleanest way to solve this
> 
> Why "plugins have to be installed per-user in w7/2k8" ?

I thought that that was your conclusion wrt InstallScope:

> Apparently the InstallScope=user|machine is what controls
> the yellow-bar menu, but we can't determine which scope was
> used for the installer to change prefix accordingly.

Comment 16 Marc-Andre Lureau 2013-07-15 13:01:16 UTC
mingw-virt-viewer will no longer ship the activex, moving to appropriate component

Comment 17 Bryan Yount 2013-08-08 19:15:18 UTC
This case was brought to my attention for a 2nd opinion and I tested the following procedure:

1. Install virt-viewer as the local admin
2. Log out
3. Log in as a Limited local user
4. Try to access Spice console

No console appears and no "yellow bar" to install the ActiveX appears either. It would appear that if virt-viewer is installed for any other user on the system, it negatively impacts other users and prevents them from being prompted to install as well.

Workaround: After installing virt-viewer as the local admin (primarily so that usbclerk installs correctly). Manually extract from the virt-viewer installer .exe from the SpiceX.cab on RHEV-M. Provide that file to the limited user. Have them double-click to install it. After that, they are presented with the "yellow bar" to run the ActiveX and Spice consoles launch as expected.

Comment 19 Uri Lublin 2013-08-12 14:02:12 UTC
*** Bug 884887 has been marked as a duplicate of this bug. ***

Comment 20 Uri Lublin 2013-08-12 14:25:20 UTC
(In reply to comment #14 + comment #13 + comment #12)

There are two problems with InstallScope:
1. XP and Win7 behave differently.
   XP does not allow "user" InstallScope. Win7 does.
   For that reason we have both "machine|user".
2. The NSIS installer always installs to current user (and never to "all-users").
   Maybe there is a way to know in the NSIS installer if virt-viewer should be
   installed for "all-users".
3. Alternative solution for the problem may be separating XP and Win7 CAB files.
   Currently the separation is only done for 32/64.
   The XP CAB will use virt-viewer MSI (machine) and the Win7 CAB will only 
   install the NSIS exe (user).

In 3.3 virt-viewer and usbclerk are separated, and MSI files are provided.
The best way to install virt-viewer and usbclerk are with MSI files (before accessing RHEV-M portals).
Users should use MSI files to install virt-viewer on the machine, such that it can be used by all users.
The usbclerk MSI is the only way to install usbclerk on client machines.

Comment 21 David Jaša 2014-08-22 14:46:40 UTC
IMO this issue turned to non-issue since dropping of usbclerk installer from .cab archive.

Comment 22 Sandro Bonazzola 2015-10-26 12:29:06 UTC
this is an automated message. oVirt 3.6.0 RC3 has been released and GA is targeted to next week, Nov 4th 2015.
Please review this bug and if not a blocker, please postpone to a later release.
All bugs not postponed on GA release will be automatically re-targeted to

- 3.6.1 if severity >= high
- 4.0 if severity < high

Comment 23 Yaniv Lavi 2015-10-28 15:03:13 UTC
Is this resolved? What is the status?

Comment 24 David Blechter 2015-11-23 14:23:30 UTC
usb clerk was dropped from the cab, and the new usbDK is not part of the cab as well.


Note You need to log in before you can comment on or make changes to this bug.