oreilly.comSafari Books Online.Conferences.


AddThis Social Bookmark Button

A Basic Guide to Enterprise Application Distribution
Pages: 1, 2


Pacifist uses a package archive's binary file, located inside of the archive. This file lists the file or directory path, user (UID), group (GID), permissions, modes, and the checksum of files. It is commonly referred to as the "bill of materials" file. Possible modifications made by installer scripts are not included as part of a .bom file. Tracking an installation in this way allows an enterprise administrator to check for security concerns of, or problems with, the package installer.

Continuing with the previous example, iTunes 4.5, Pacifist presents a more complete set of information.


In this dialog, a more complete set of information about the files being installed is presented. Important pieces of information are shown, including:

  • The file's owner
  • The group
  • Permissions
  • File type
  • Checksums
  • Installation location of the package

Pacifist also allows extraction of individual pieces of the package to a temporary location. However, if the package is extracted in this way, it will not run any scripts that are part of the installation as detected by Installer.

Pacifist can also be used as a replacement for the normal Installer, which can be helpful if you're experiencing problems with the software installation package. Additional advantages include the ability to verify existing installations and compare files of an installed package with the files listed in the package installer. It will also detect missing files and files that have different permissions or checksums, and can update prebinding information, either for the entire hard disk, or for an individual folder.

Command-Line Tracking

The last simple way that a package file can be tracked is by using the command-line utility lsbom. This command-line binary interprets the content of the bill of materials file (, and produces output formatted containing the POSIX path of the entry, its mode (octal), and its UID/GID. The tool also does not list possible modifications made by installer scripts.

lsbom -p MUGTsfc

drwxrwxr-t root admin .
drwxrwxr-x root admin ./Applications
drwxrwxr-x root admin ./Applications/
drwxrwxr-x root admin ./Applications/
-rw-rw-r-- root admin Fri Apr 16 15:30:25 2004 13489 ./Applications/ 412288683
drwxrwxr-x root admin ./Applications/
-rwxrwxr-x root admin Wed Apr 21 16:10:52 2004 4696188 ./Applications/ 1822652320
-rw-rw-r-- root admin Mon Dec 8 19:25:15 2003 8 ./Applications/ 187102783
drwxrwxr-x root admin ./Applications/

Comparing the information with the graphic dialog from Pacifist, an identical set of information is presented. For more information about the command-line switches, read the manual page, man lsbom. An advantage to using the command-line tool is the ability to read scripts run as part of the installation process. For example, in the iTunes 4.5 installer, a script, iTune4.pre_install is included.


if [ -e "/Applications/" ] ; then
rm -rf "/Applications/" 2> /dev/null

/usr/bin/sudo -u $USER "$PACKAGE_PATH/Contents/Resources/InstallHelper" "/Applications/" 2> /dev/null
"$PACKAGE_PATH/Contents/Resources/InstallHelper" 2> /dev/null

exit 0

The use of shell scripts as part of the installation can be used to correct or modify installations before or after they have completed.

Advantages of Tracking Package Installers

Each package that is installed creates a receipt file in /Library/Receipts. As an example, the following listing is from the iLife.pkg.

drwxrwxr-t root admin .
drwxrwxr-x root admin ./private
drwxrwxr-x root admin ./private/var
drwxrwxrwt root wheel ./private/var/tmp
-rw-rw-rw- root admin 442 ./private/var/tmp/BlankFile 3626504269

Note the permission mode setting for /private/var/tmp: drwxrwxrwt. By tracking the installation as shown above, you can check file permissions for inconsistency. If an installer incorrectly modified /tmp, removing the sticky bit, a potential security hole is created, as listed in AusCert advisory AA-95.07. You could then proactively correct any potential security hole discovered in a Receipt file.

Additional Simple Tracking Methods

One very popular type of installation on Mac OS X is the "drag-and-drop" method of installation. Tracking this type of installation is very simple with the command-line tool ls. Using ls with the correct command-line switches, a complete listing of installed files can be created. Using the following command:

ls -latR

produces the following listing for an application.


Much of the information provided is similar to a package installer. However, note that no checksum information is provided as a drag-and-drop installer is simply copying the file from a disk image, and does not have any method for file integrity verification.

Advantages of Using Package Installers

From a developer's standpoint, the advantage of using Packages is tremendous. Why?

  • The installation is recorded in /Library/Receipts. The receipt file can become very useful when upgrading a package.
  • Permissions of any package installed in the Receipts directory is checked by Disk Utility when running the task "Check Permissions". If at any point a user alters permission unknowingly, a simple use of this task will restore permissions to their installed state.
  • It can be distributed throughout an enterprise environment with the use of ""

Hopefully, this basic guide has provided you with additional insight into the basic methods of tracking installations in business and educational environments.

Philip Rinehart is a member of the steering committee leading the Mac OS X Lab Deployment Project ( and manages Macs as a support specialist at Yale University.

Return to the Mac DevCenter