--- a/cinst/nssstore_win.c	Tue Sep 23 17:05:17 2014 +0200
+++ b/cinst/nssstore_win.c	Tue Sep 23 19:15:49 2014 +0200
@@ -756,6 +756,7 @@
            *path = NULL;
   HANDLE hFile = NULL;
   size_t path_len;
+  PACL access_control_list = NULL;
 
   folder_name = get_program_data_folder();
   if (!folder_name)
@@ -805,7 +806,7 @@
      it might be a symlink to another place that a users
      wants us to grant read access to or makes us overwrite
      something */
-  if(!create_restricted_directory (path, true))
+  if(!create_restricted_directory (path, true, &access_control_list))
     {
       ERRORPRINTF ("Failed to create directory\n");
       xfree(path);
@@ -816,6 +817,7 @@
     {
       ERRORPRINTF ("Failed to cat dirsep.\n");
       xfree(path);
+      LocalFree(access_control_list);
       return NULL;
     }
 
@@ -823,6 +825,7 @@
     {
       ERRORPRINTF ("Failed to cat filename.\n");
       xfree(path);
+      LocalFree(access_control_list);
       return NULL;
     }
 
@@ -844,15 +847,68 @@
                           0,
                           NULL);
     }
+  else
+    {
+      /* Opened existing file */
+      /* Set our ACL on it */
+      PSID admin_SID = NULL;
+      SID_IDENTIFIER_AUTHORITY admin_identifier = {SECURITY_NT_AUTHORITY};
+
+      /* Create the SID for the BUILTIN\Administrators group. */
+      if(!AllocateAndInitializeSid(&admin_identifier,
+                                   2,
+                                   SECURITY_BUILTIN_DOMAIN_RID, /*BUILTIN\ */
+                                   DOMAIN_ALIAS_RID_ADMINS, /*\Administrators */
+                                   0, 0, 0, 0, 0, 0, /* No other */
+                                   &admin_SID))
+        {
+          PRINTLASTERROR ("Failed to allocate admin sid.");
+          syslog_error_printf ( "Failed to allocate admin sid.");
+          if (hFile)
+            {
+              CloseHandle (hFile);
+            }
+          xfree (path);
+          LocalFree(access_control_list);
+          return NULL;
+        }
+
+      if (SetNamedSecurityInfoW (path,
+                                 SE_FILE_OBJECT,
+                                 DACL_SECURITY_INFORMATION |
+                                 OWNER_SECURITY_INFORMATION |
+                                 GROUP_SECURITY_INFORMATION,
+                                 admin_SID, /* owner */
+                                 admin_SID, /* group */
+                                 access_control_list, /* the dacl */
+                                 NULL) != ERROR_SUCCESS)
+        {
+          ERRORPRINTF ("Failed to set the ACL on the NSS instruction file.");
+          if (hFile)
+            {
+              CloseHandle (hFile);
+            }
+          FreeSid(admin_SID);
+          LocalFree(access_control_list);
+          xfree (path);
+          return NULL;
+        }
+      FreeSid(admin_SID);
+    }
+
+  LocalFree(access_control_list);
+
   if (hFile == INVALID_HANDLE_VALUE)
     {
       PRINTLASTERROR ("Failed to create file\n");
+      syslog_error_printf ( "Failed to create nss instruction file.");
       xfree(path);
       return NULL;
     }
   if (!write_instructions (to_install, hFile, false))
     {
       ERRORPRINTF ("Failed to write install instructions.\n");
+      syslog_error_printf ( "Failed to write nss instruction file.");
       CloseHandle(hFile);
       xfree(path);
       return NULL;
@@ -860,6 +916,7 @@
   if (!write_instructions (to_remove, hFile, true))
     {
       ERRORPRINTF ("Failed to write remove instructions.\n");
+      syslog_error_printf ( "Failed to write nss instruction file removal entries.");
       CloseHandle(hFile);
       xfree(path);
       return NULL;