Updating OpenVPN on Windows fails when the OS language is other than English

[kevloral]

Beginning in 2.6.9, when you try to update OpenVPN on Windows and a non standard installation folder has been used, the process always fails with this message:

I assume the problem lies in the new script that was introduced in that version intended to reset the permissions of the installation folder (I guess it may not support using non standard destinations).

If the installer is executed with the /L option, you get this in the resulting log file:

[MSI (s) (3C:B4) [00:02:53:985]: Executing op: ActionStart(Name=SetACL,,)
Action 0:02:53: SetACL. 
MSI (s) (3C:B4) [00:02:53:987]: Executing op: CustomActionSchedule(Action=SetACL,ActionType=7173,Source=/*
 *  openvpn-build — OpenVPN packaging
 *
 *  Copyright (C) 2024 Lev Stipakov <lev@openvpn.net>
 *
 *  This program is free software; you can redistribute it and/or modify
 *  [..]
 */

function InProgramFiles(installPath) {
    var shell = new ActiveXObject("WScript.Shell");
    var fso = new ActiveXObject("Scripting.FileSystemObject");

    var programFilesPath = shell.ExpandEnvironm
Error 1720. There is a problem with this Windows Installer package. A script required for this install to complete could not be run. Contact your support personnel or package vendor.  Custom action SetACL script error -2147467259, Msi API Error: Property,Name Line 176, Column 9,  
MSI (s) (3C:54) [00:02:55:944]: Product: OpenVPN 2.6.9-I001 amd64 -- Error 1720. There is a problem with this Windows Installer package. A script required for this install to complete could not be run. Contact your support personnel or package vendor.  Custom action SetACL script error -2147467259, Msi API Error: Property,Name Line 176, Column 9,  ]

The problem also affects versions 2.6.10 and 2.6.11

[kevloral]

I dug into it a little bit and it is not that the installation fails when the destination is not the default one, but when the OS is not in English.

Given that the error message in the log file is quite useless (Property,Name Line 176, Column 9), perhaps because there is a problem in the way the SetACL function tries to return an error message, I fired up a process monitor to find out the exact icacls parameters the installer was trying to use. In my case, this is the full command:

"C:\Windows\System32\icacls.exe" "H:\Aplicaciones\OpenVPN" /inheritance:r /grant "Administrators:(OI)(CI)F" /grant "System:(OI)(CI)F" /grant "Users:(OI)(CI)RX"

Therefore, I tried to execute it by hand and got this error message:

Administrators: No se efectuó ninguna asignación entre los nombres de cuenta y los identificadores de seguridad. Se procesaron correctamente 0 archivos; error al procesar 1 archivos

The message, in Spanish, is complaining because there is no Administrators users group in my computer (as my OS is in Spanish). Once I changed that group name to "Administradores" (and "Users" to "Usuarios"), the command executed successfully.

All in all, the problem lies in the fact that the names of both user groups are hardwired in the SetACL function: https://github.com/OpenVPN/openvpn-build/blob/OpenVPN-2.6.11-I001/windows-msi/script/ACL.js

[lstipakov]

Thank you for the such a detailed bug report. We’ll address this issue in coming days.

[lstipakov]

@kevloral Do you mind to test this installer, which is 2.6.11 with the ACL script fix?

[kevloral]

I just did and now the installation completes successfully. Also, the permissions of the installation folder are set as expected:

It seems using SIDs instead of names did the trick. Thanks a lot!