 |
 |
What's up with these new DMG's from Apple?
|
|
|
|
|
Posting Junkie
Join Date: Dec 2000
Status:
Offline
|
|
When I downloaded the Safari DMG from Apple and mounted it, it automatically copied the contents of the image to the folder the DMG was in and then unmounted the DMG. When I downloaded the X11 installer, it automatically ran the install mpkg on the image after mounting the image.
How are they doing this, and does this mean that DMG's now have the option to automatically launch something or run a script on mount? If so, this seems like it could be used to do some nasty AutoStart-9805 type things...
|
|
|
| |
|
|
|
|
|
|
|
Clinically Insane
Join Date: Dec 2000
Location: Caught in a web of deceit.
Status:
Offline
|
|
And I thought it was just a feature I missed all along. I thought I was going crazy...
|
|
|
| |
|
|
|
|
|
|
|
Professional Poster
Join Date: Sep 2002
Location: New York, NY
Status:
Offline
|
|
Hopefully, it's just a pref to copy the contents to the local folder, not an autorun script which can be dangerous.
|
|
Vandelay Industries
|
| |
|
|
|
|
|
|
|
Mac Elite
Join Date: Aug 2001
Location: Capitol City
Status:
Offline
|
|
I think there is a preference in safari that says to launch "safe" files after download.
|
|
|
| |
|
|
|
|
|
|
|
Banned
Join Date: Apr 2000
Status:
Offline
|
|
Originally posted by DeathMan:
I think there is a preference in safari that says to launch "safe" files after download.
That's my guess too...and I'm guessing the 'Apple' DMG are all considered safe (via some means I don't quite understand).
Let's hope Apple's DMG files are all safe...I remember a certain iTunes 3 fiasco.
|
|
|
| |
|
|
|
|
|
|
|
Clinically Insane
Join Date: Nov 1999
Status:
Offline
|
|
Originally posted by DeathMan:
I think there is a preference in safari that says to launch "safe" files after download.
There is, but the Safari disk image itself also shows its behavior, and most of the people who download that aren't using Safari (that being the whole point of downloading it).
No, unfortunately this is more likely to be some kind of a auto-run mechanism embedded in the DMG's themselves. And here I hoped Apple would have learned its lesson the last time they tried that...
|
|
You are in Soviet Russia. It is dark. Grue is likely to be eaten by YOU!
|
| |
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Apr 2001
Location: europe
Status:
Offline
|
|
At least the Installer showed a warning before using the Safari package.
They're kind of scary though. Who knows what other secret features are hidden inside Jaguar's Disk Copy.
|
|
Nasrudin sat on a river bank when someone shouted to him from the opposite side: "Hey! how do I get across?" "You are across!" Nasrudin shouted back.
|
| |
|
|
|
|
|
|
|
Posting Junkie
Join Date: Dec 2000
Status:
Offline
|
|
I really hope that Apple provides a way to disable this in the future. I would really pissed if I mounted a DMG only to have its auto-run script do an rm -rf / and delete every file I have write access to on the drive.
|
|
|
| |
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Oct 2001
Location: Yokohama, Japan
Status:
Offline
|
|
Originally posted by DeathMan:
I think there is a preference in safari that says to launch "safe" files after download.
No, that's unrelated. As Millenium mentioned, Safari itself did this. Also, the recent iCal updates and iSync 1.0 did similar things. This is definitely a new (or at least previously unused) feature of Disk Copy.
|
|
|
| |
|
|
|
|
|
|
|
Mac Elite
Join Date: Feb 2001
Location: 34.06 N 118.47 W
Status:
Offline
|
|
I'm glad you pointed this out, as I wasn't paying attention and wondered why the Safari app was on the desktop.
I'll have to pay more attention in the future.
|
|
A lie can go halfway around the world before the truth even gets its boots on. - Mark Twain
|
| |
|
|
|
|
|
|
|
Banned
Join Date: Apr 2000
Status:
Offline
|
|
Originally posted by CharlesS:
I really hope that Apple provides a way to disable this in the future. I would really pissed if I mounted a DMG only to have its auto-run script do an rm -rf / and delete every file I have write access to on the drive.
That's why you never run as root.
And if you're stupid enough to type in your password when prompted to install something that you don't know should be trusted...you lose.
...wait a minute...OMG, OMG, OMG a 256kb Doom3.dmg is out. I gotta install this wicked game right away!
(Last edited by Guy Incognito; Jan 9, 2003 at 05:06 PM.
)
|
|
|
| |
|
|
|
|
|
|
|
Mac Elite
Join Date: Jan 2002
Location: Live at the BBQ
Status:
Offline
|
|
What happened with Safari and other DMG's (automatically unencoding, mounting, copying contents, and dismountinng the image) isn't actuallly installing , it's just copying a file automatically. If it were to install automatically, it would have to ask for authorization first, which adds some level of security. Even in the case of the iCal update, the download copied a package to the desktop, and that had to be installed on its own. I think it won't be that easy for this mechanism to be used in a malicious manner, unless you're pretty lax about the downloads and installers you grant authorization to.
Myself, I think it's a pretty cool Apple-like (meaning easy, convenient) feature.
|
|
"Bill Gates can't guarantee Windows... how can you guarantee my safety?"
-John Crichton
|
| |
|
|
|
|
|
|
|
Posting Junkie
Join Date: Dec 2000
Status:
Offline
|
|
Originally posted by Guy Incognito:
That's why you never run as root.
And if you're stupid enough to type in your password when prompted to install something that you don't know should be trusted...you lose.
...wait a minute...OMG, OMG, OMG a 256kb Doom3.dmg is out. I gotta install this wicked game right away!
You don't need to run as root for that command to be able to delete: - your Applications folder
- your root-level Library folder
- your User folder
- anything else you've put on your hard drive as your current user
You know, that's kind of why I said it would delete every file I had write access to rather than every file on the drive.
BTW, thanks for calling me stupid.
|
|
|
| |
|
|
|
|
|
|
|
Professional Poster
Join Date: Jul 2001
Location: Dis
Status:
Offline
|
|
I'd still like to be able to turn it off... 
Seeing as how I cannot right now, a feedbacking I will go!
BlackGriffen
|
|
|
| |
|
|
|
|
|
|
|
Professional Poster
Join Date: Jul 2001
Location: Dis
Status:
Offline
|
|
Also, did anyone else notice how iCal.dmg was erased after mounting? I certainly hope that the mount scripts are only permitting to erase the .dmg file, and not arbitrary files...
BG
|
|
|
| |
|
|
|
|
|
|
|
Mac Elite
Join Date: Feb 2001
Location: Vancouver, WA
Status:
Offline
|
|
Dissection of some of these new DMGs hasn't been very enlightening thus far. But Apple alluded to these features at WWDC last spring, and it sounds like they're conscious of the security issues. The way they presented it, it sounds like DMG auto-actions can only be some very specific things -- copy this to there, or open this package in Installer, trash the DMG afterward, etc. -- which is much better than being able to auto-run any script or executable on the DMG.
|
|
|
| |
|
|
|
|
|
|
|
Banned
Join Date: Apr 2000
Status:
Offline
|
|
Originally posted by CharlesS:
BTW, thanks for calling me stupid.
I didn't...I was making a generalization. Maybe I should have written "One would be stupid..."...I guess you're a touchy guy.
|
|
|
| |
|
|
|
|
|
|
|
Dedicated MacNNer
Join Date: Nov 2002
Status:
Offline
|
|
So what happened with the iTunes 3 DMG? sounds like an interesting story!
|
|
I offer strictly b2b web-based server-side enterprise solutions for growing e-business trusted content providers ;]
|
| |
|
|
|
|
|
|
|
Mac Elite
Join Date: Aug 2001
Location: Capitol City
Status:
Offline
|
|
iTunes had a nasty habit of erasing your hard drive if it didn't like the way it was named. Doh.
Look up "iTunes erase" in the search here, or on google.
I knew that I didn't know what I was talking about, when I wrote my previous comment. I did notice that safari was just all of a sudden on my desktop. I was wondering about that. that could be nasty, if someone got creative about it.
|
|
|
| |
|
|
|
|
|
|
|
Professional Poster
Join Date: Sep 2002
Location: New York, NY
Status:
Offline
|
|
Originally posted by Rickster:
Dissection of some of these new DMGs hasn't been very enlightening thus far. But Apple alluded to these features at WWDC last spring, and it sounds like they're conscious of the security issues. The way they presented it, it sounds like DMG auto-actions can only be some very specific things -- copy this to there, or open this package in Installer, trash the DMG afterward, etc. -- which is much better than being able to auto-run any script or executable on the DMG.
It looks like my guess was right. 
Hopefully, it's just a pref to copy the contents to the local folder, not an autorun script which can be dangerous.
|
|
Vandelay Industries
|
| |
|
|
|
|
|
|
|
Professional Poster
Join Date: Sep 2002
Location: New York, NY
Status:
Offline
|
|
Originally posted by trusted_content:
So what happened with the iTunes 3 DMG? sounds like an interesting story!
That was iTunes 2, IIRC. Also, it was the .pkg installer, not the .dmg.
|
|
Vandelay Industries
|
| |
|
|
|
|
|
|
|
Professional Poster
Join Date: Sep 2002
Location: New York, NY
Status:
Offline
|
|
If you watch the "Power of X" presentation stream available at Apple, they mention these new images (at about 52:00). They are Internet Disk Images. It is a new image format available in Disk Copy 10.2.3 in OS X 10.2.3. It definitely sounds like all they do is copy their contents to the local directory and unmount.
I didn't see this new option in Disk Copy, but it is probably available from the command line tools.
|
|
Vandelay Industries
|
| |
|
|
|
|
|
|
|
Grizzled Veteran
Join Date: Oct 2000
Location: Cardiff, Wales
Status:
Offline
|
|
Originally posted by Guy Incognito:
I didn't...I was making a generalization. Maybe I should have written "One would be stupid..."...I guess you're a touchy guy.
Why don't you just apologise and be done with it?
|
|
|
| |
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Nov 1999
Location: Madison, WI
Status:
Offline
|
|
Originally posted by Art Vandelay:
If you watch the "Power of X" presentation stream available at Apple, they mention these new images (at about 52:00). They are Internet Disk Images. It is a new image format available in Disk Copy 10.2.3 in OS X 10.2.3. It definitely sounds like all they do is copy their contents to the local directory and unmount.
I didn't see this new option in Disk Copy, but it is probably available from the command line tools.
Yes thats what happens.
-Owl
|
|
|
| |
|
|
|
|
|
|
|
Professional Poster
Join Date: Feb 2001
Location: Sydney, Australia
Status:
Offline
|
|
Originally posted by Guy Incognito:
I didn't...I was making a generalization. Maybe I should have written "One would be stupid..."...I guess you're a touchy guy.
No I think you're a bastard. Don't say things unless you're sure about them.
And your comment was clearly directed at him.
|
|
In vino veritas.
|
| |
|
|
|
|
|
|
|
Banned
Join Date: Apr 2000
Status:
Offline
|
|
Originally posted by undotwa:
And your comment was clearly directed at him.
No...but here's a comment that *is* clearly directed at you...
"Eat sh!t!"
|
|
|
| |
|
|
|
|
|
|
|
Banned
Join Date: Apr 2000
Status:
Offline
|
|
Originally posted by clebin:
Why don't you just apologise and be done with it?
How about...no!
|
|
|
| |
|
|
|
|
|
|
|
Senior User
Join Date: Apr 2000
Location: Woodridge, IL
Status:
Offline
|
|
Originally posted by Millennium:
There is, but the Safari disk image itself also shows its behavior, and most of the people who download that aren't using Safari (that being the whole point of downloading it).
No, unfortunately this is more likely to be some kind of a auto-run mechanism embedded in the DMG's themselves. And here I hoped Apple would have learned its lesson the last time they tried that...
This "feature" showed up in 10.2.3 I believe, and one of the iCal updaters (I think 1.0.1) exhibited it. Freaked me out at first.
I don't know what triggers it, but it worries me.
|
|
|
| |
|
|
|
|
|
|
|
Senior User
Join Date: Apr 2000
Location: Woodridge, IL
Status:
Offline
|
|
Originally posted by Guy Incognito:
How about...no!
Thank you for increasing your post count by ruining yet another thread.
|
|
|
| |
|
|
|
|
|
|
|
Professional Poster
Join Date: Sep 2002
Location: New York, NY
Status:
Offline
|
|
Originally posted by diamondsw:
This "feature" showed up in 10.2.3 I believe, and one of the iCal updaters (I think 1.0.1) exhibited it. Freaked me out at first.
I don't know what triggers it, but it worries me.
Read my post above. It is the new Internet Disk Image format. Until someone who knows can confirm this, it appears that all it does is have Disk Copy copy the contents to the local folder. There isn't an autorun script. So, there shouldn't be any worries of someone attaching a malicious script to these.
|
|
Vandelay Industries
|
| |
|
|
|
|
|
|
|
Mac Elite
Join Date: May 2001
Location: ~/
Status:
Offline
|
|
If you want to strip the internet-enable functionality of a DMG you can use hdiutil to do so. Internet-enable is just a plug-in for DC.
To strip the internet-enable functionality from a DMG enter this into the command line:
hdiutil internet-enable image name -no
You can check DMGs for internet-enable with:
hdiutil internet-enable image name -query
Replace the -no flag with a -yes flag to obviously turn a DMG into an internet-enabled one, you can also use -srcimagekey, -encrytpion, -passphrase, -verbose, and -quiet flags to work with images. 
|
|
|
| |
|
|
|
|
|
|
|
Mac Elite
Join Date: Jan 2001
Location: L.A., CA
Status:
Offline
|
|
Well for some reason I can't mount the iCal 1.02 image I just d/l'd. I wonder if it's related to the changes made. Arggg.
|
|
|
| |
|
|
|
|
|
|
|
Banned
Join Date: Apr 2000
Status:
Offline
|
|
Originally posted by diamondsw:
Thank you for increasing your post count by ruining yet another thread.
And thank you for doing the same.
|
|
|
| |
|
|
|
|
|
|
|
Posting Junkie
Join Date: Dec 2000
Status:
Offline
|
|
*ignoring Guy Incognito*
Originally posted by Graymalkin:
If you want to strip the internet-enable functionality of a DMG you can use hdiutil to do so. Internet-enable is just a plug-in for DC.
To strip the internet-enable functionality from a DMG enter this into the command line:
hdiutil internet-enable image name -no
You can check DMGs for internet-enable with:
hdiutil internet-enable image name -query
Replace the -no flag with a -yes flag to obviously turn a DMG into an internet-enabled one, you can also use -srcimagekey, -encrytpion, -passphrase, -verbose, and -quiet flags to work with images.
Thank you! This is exactly what I wanted to know. Using these commands I have turned a normal DMG into an Internet-enabled DMG and verified that it is indeed a simple file copy and not an auto-run script, and I feel much better about this now. Thanks!
Now, to figure out why the X11 download launches the installer automatically. I notice that it only happens when I download the file with Safari, and that it doesn't seem to occur when I download it with Chimera or when I mount the disk image manually, so it appears to be a Safari feature. Is this feature limited to launching package installers, or can it launch any arbitrary file on the image? If the latter, is there any way to turn it off? Disabling the 'open "safe" files after downloading' stops the behavior, but it also stops mounting of the image entirely.
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
 
|
|
|
Forum Rules
|
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|
|
Top
