A Basic Guide to Enterprise Application Distribution
Pages: 1, 2
Pacifist uses a package archive's binary file, package.bom located inside of the archive. This file lists the file or directory path, user (UID), group (GID), permissions, modes, and the checksum of files. It is commonly referred to as the "bill of materials" file. Possible modifications made by installer scripts are not included as part of a .bom file. Tracking an installation in this way allows an enterprise administrator to check for security concerns of, or problems with, the package installer.
Continuing with the previous example, iTunes 4.5, Pacifist presents a more complete set of information.
In this dialog, a more complete set of information about the files being installed is presented. Important pieces of information are shown, including:
- The file's owner
- The group
- File type
- Installation location of the package
Pacifist also allows extraction of individual pieces of the package to a temporary location. However, if the package is extracted in this way, it will not run any scripts that are part of the installation as detected by Installer.
Pacifist can also be used as a replacement for the normal Installer, which can be helpful if you're experiencing problems with the software installation package. Additional advantages include the ability to verify existing installations and compare files of an installed package with the files listed in the package installer. It will also detect missing files and files that have different permissions or checksums, and can update prebinding information, either for the entire hard disk, or for an individual folder.
The last simple way that a package file can be tracked is by using the
lsbom. This command-line binary
interprets the content of the bill of materials file (pkg.bom), and produces output formatted
containing the POSIX path of the entry, its mode (octal), and its
UID/GID. The tool also does not list possible modifications made by
lsbom -p MUGTsfc iTunes4.bom
drwxrwxr-t root admin .
drwxrwxr-x root admin ./Applications
drwxrwxr-x root admin ./Applications/iTunes.app
drwxrwxr-x root admin ./Applications/iTunes.app/Contents
-rw-rw-r-- root admin Fri Apr 16 15:30:25 2004 13489 ./Applications/iTunes.app/Contents/Info.plist 412288683
drwxrwxr-x root admin ./Applications/iTunes.app/Contents/MacOS
-rwxrwxr-x root admin Wed Apr 21 16:10:52 2004 4696188 ./Applications/iTunes.app/Contents/MacOS/iTunes 1822652320
-rw-rw-r-- root admin Mon Dec 8 19:25:15 2003 8 ./Applications/iTunes.app/Contents/PkgInfo 187102783
drwxrwxr-x root admin ./Applications/iTunes.app/Contents/Resources
Comparing the information with the graphic dialog from Pacifist, an identical set of information is presented. For more
information about the command-line switches, read the manual page,
man lsbom. An advantage to using the command-line tool is the ability to read scripts run as part of the installation process. For example, in the iTunes 4.5 installer,
a script, iTune4.pre_install is included.
if [ -e "/Applications/iTunes.app" ] ; then
rm -rf "/Applications/iTunes.app" 2> /dev/null
/usr/bin/sudo -u $USER "$PACKAGE_PATH/Contents/Resources/InstallHelper" "/Applications/iTunes.app/Contents/Resources/iTunesHelper.app" 2> /dev/null
"$PACKAGE_PATH/Contents/Resources/InstallHelper" 2> /dev/null
The use of shell scripts as part of the installation can be used to correct or modify installations before or after they have completed.
Advantages of Tracking Package Installers
Each package that is installed creates a receipt file in /Library/Receipts. As an example, the following listing is from the iLife.pkg.
drwxrwxr-t root admin .
drwxrwxr-x root admin ./private
drwxrwxr-x root admin ./private/var
drwxrwxrwt root wheel ./private/var/tmp
-rw-rw-rw- root admin 442 ./private/var/tmp/BlankFile 3626504269
Note the permission mode setting for /private/var/tmp:
drwxrwxrwt. By tracking the installation as shown above, you can check file permissions for inconsistency. If an installer incorrectly modified /tmp, removing the sticky bit, a potential security hole is created, as listed in AusCert advisory AA-95.07. You could then proactively correct any potential security hole discovered in a Receipt file.
Additional Simple Tracking Methods
One very popular type of installation on Mac OS X is the "drag-and-drop" method of installation. Tracking this type of installation
is very simple with the command-line tool
ls with the correct command-line switches, a complete listing of
installed files can be created. Using the following command:
produces the following listing for an application.
Much of the information provided is similar to a package installer. However, note that no checksum information is provided as a drag-and-drop installer is simply copying the file from a disk image, and does not have any method for file integrity verification.
Advantages of Using Package Installers
From a developer's standpoint, the advantage of using Packages is tremendous. Why?
- The installation is recorded in /Library/Receipts. The receipt file can become very useful when upgrading a package.
- Permissions of any package installed in the Receipts directory is checked by Disk Utility when running the task "Check Permissions". If at any point a user alters permission unknowingly, a simple use of this task will restore permissions to their installed state.
- It can be distributed throughout an enterprise environment with the use of "http://www.apple.com/remotedesktop"
Hopefully, this basic guide has provided you with additional insight into the basic methods of tracking installations in business and educational environments.
Philip Rinehart is a member of the steering committee leading the Mac OS X Lab Deployment Project (www.macosxlabs.org) and manages Macs as a support specialist at Yale University.
Return to the Mac DevCenter