A Basic Guide to Enterprise Application Distributionby Philip Rinehart
Managing Mac OS X on hundreds of diverse computers throughout an enterprise organization creates many challenges for IT managers and staff. Many of these issues can be attributed to the differences between the Mac OS X and OS 9 security models, operating system architectures, and distribution and management tools. As an enterprise system administrator, it's important to evaluate the factors for distribution and deployment of software by tracking installations. In this article, I'll show you a few options to help you configure the best system for your situation.
Why Should I Track Installations?
With the rise of malicious code, viruses, and worms targeting known vulnerabilities, security -- both in regards to the network and platforms on it -- is a more significant concern for all enterprise deployments. The resultant downtime, its associated expense, and increased concern arising from governance and regulatory compliance (e.g., HIPAA, Sarbanes-Oxley, and FERPA) requires the enterprise to focus on computer security.
In addition, with Mac OS X, inroads have been made into previously unavailable environments, such as the federal system and military, where the security of a client operating system is of critical importance. While Mac OS 9 was a "closed" operating system, with little or no access to internal code and no command line, Mac OS X is an open source operating system based on Unix. Access to a wide variety of open source software has increased the ability to compromise a system that was not available in Mac OS 9. For installers, it is important to:
- Find and fix potential security issues.
- Meet enterprise security policies.
- Minimize the risk of system compromise.
- Protect network infrastructure.
Tracking installations has many benefits for the system administrator. Mac OS X has seen an increase of distribution tools. When combined with installation tracking, an administrator can reduce time spent developing new systems for deployment as well as minimize the amount of time required to deploy the new system. Efficiency is highly important, particularly in a small information technology department.
In the enterprise, a primary goal is often to provide a uniform experience for all end users. By creating a uniform experience, unexpected problems break in a consistent manner. If the software has been tracked, a problem can be fixed simply and efficiently throughout the enterprise. An additional benefit is that tracked software is much easier to troubleshoot, as the scope of possible problems is a known quantity.
Increasingly, in enterprise environments, resources are limited. With installation tracking, the management cost of security, efficiency, and consistency is reduced.
Installers and Why They Can't Be Trusted
With the above considerations in mind, the tracking of installers becomes even more critical for the enterprise system administrator. Smaller departments and companies can benefit from tracking installers, as they will reduce the amount of resources spent in this endeavor.
Permissions and File Modes
One reason installers cannot be trusted is improper use of file permissions and modes. Normally, an application runs with permissions of the logged-in user. Only files and directories that have correct user permissions are affected. Installers may create files with the following permissions:
- Set-UID. Applications with this bit set run with permissions of the application's owner.
- Set-GID. Applications with this bit set run with permission of the application's group.
- Allows permissions to "all" users, or users of "group."
Why are these file permissions undesirable? If the application has a programming error, buffer overflow, or other security issue, it may be exploited by a malicious user who can use these elevated permissions to affect secure areas of the system. Additionally, files and folders may be unintentionally overwritten or modified.
Unnecessary Administrative Privileges
Another reason that installers cannot be trusted is the unnecessary use of administrative rights. If an application does not install in protected system areas, the use of administrative or root user rights are unnecessary. This requirement can also prevent installation of software by a non-administrator to protected areas of the file system. In many environments, non-administrative users are allowed to install applications in their user file spaces. As a second consequence, this unnecessary requirement can lead to careless use of administrative credentials. This issue gives opportunities for hackers to create installers used to compromise systems.
As an example, the recent Office 2004 malware released could have been created using administrative privileges. With this additional ability, an end user with administrative privileges could cause significant damage to a Mac OS X installation.
Use of Non-Standard Locations
Lastly, files from installers are placed in non-standard locations. Installers that do not follow recommended guidelines on installation create an increased burden for enterprise information technology staff when tracking and troubleshooting installations. Apple documentation (the Mac OS X HI Guidelines) even specifies, "During installation you should install your application in a location accessible to all users. Most of the files you generate while your application is running, however, should go in the user domain because they pertain to the specific user currently using that application."
Simple Installation Tracking
Since installers cannot be trusted, what are the first steps used to track any software installation? Let's examine some simple methods used to track software installations. These methods track only Apple Package installers. Tracking installations created by other installers is more complex, and does not use the following methods.
The Apple™ Installer
The simplest way to begin tracking an installation using a package archive is to use the Apple Installer program. With the Installer, an administrator can determine what is being installed and where. As an example, iTunes 4.5 uses a package archive. Let's begin by examining some screenshots of what the Installer provides.
In this window, the file listing is shown. It's only available after an installation destination has been chosen. Meta-packages are supported, as well as printing the entire listing of files being installed. It can be accessed from the File -> Show Files menu.
Shown in this dialog is a log listing all steps of the installation. Any scripts run as part of the installation, such as permission corrections or temporary file creation, will appear in this log. Three view options are available: Show Everything, Show Errors and Progress, and Show Errors Only. You can also access this feature from the File menu. This technique starts the process of tracking an installation. So what's missing?
You may notice that the file listing, while complete, does not provide any permission information, or the checksum for installation verification. The next level of tracking an installation uses the shareware product, Pacifist™.
Pages: 1, 2