[chabig]

One feature of OS X that increases security is the fact that you must provide an admin password to install most software. However, when Installer first launches, it almost always says it need to run a program, to which I just blindly click OK. Does anyone know what's going on when it does this? Is it possible that someone could get Installer to run something dangerous at this point?

Chris

[TETENAL]

You can run anything. But since you are willing to run the software anyway (if there wouldn't be an installer you just would have double-clicked), I don't see any practical security risk.

Don't run software from untrusted sources. That's the only thing that will protect you from trojans (aside from examining the source code).

[Tyler McAdams]

I'll say this much.... OS X's installer is much more uniform than XP's

Try this.. make a Power User account on Xp... try to install Quick Time... no go like it should... now try and install real player... goes right through and installs it. POS.

The only thing that worries me is that you can download a program w/o an installer on the Mac... you could do the same thing for windows though too... that's the real worry.

[Chuckit]

Originally posted by Tyler McAdams:
The only thing that worries me is that you can download a program w/o an installer on the Mac...

Why is that worrisome? It couldn't do anything more than an app that you installed could.

[Millennium]

Originally posted by Tyler McAdams:
The only thing that worries me is that you can download a program w/o an installer on the Mac... you could do the same thing for windows though too... that's the real worry.

It shouldn't be. If a program doesn't use a standard installer and doesn't ask for a password, then it can't do anything that an unauthenticated user couldn't do. Period, end of sentence. As such, these are not generally severe security risks.

On the other hand, is it possible that I'm misunderstanding something? Are you saying that all programs should require an Administrator password before the OS will allow them to run for the first time?

[Big Mac]

Originally posted by Tyler McAdams:
I'll say this much.... OS X's installer is much more uniform than XP's

Try this.. make a Power User account on Xp... try to install Quick Time... no go like it should... now try and install real player... goes right through and installs it. POS.

The only thing that worries me is that you can download a program w/o an installer on the Mac... you could do the same thing for windows though too... that's the real worry.

Programs that do not require installers are preferable, and Apple has always promoted not using installers unless necessary. Installers can be rude (spewing files in various places), and if they require admin passwords they can modify system files. The application bundle is much better than mandatory installers. You know precisely where the application is, because you as the user placed it there, and it's self contained. When you want to get rid of it, you drag the single application icon to the Trash. Very functional and in great accord with the Mac Way. Beyond that installers on OS X suck, including Installer. Third party installers are still brain dead (either VISE or worse), and Installer is said to erroneously modify permissions. I know you're looking for installation consistency, but the best way to do that is to promote applications being packaged as bundles.

It would also be a significant step backward for Apple to require the admin password for every application installation, because you would not have any way of determining which programs were mucking around with the system. My brother downloaded and wanted to try America's Army, and even though it came with a rather dumb installer it did its job correctly under my brother's non-admin account. That's the way it should be. Normal users should have the ability to install applications. And if they happen to install malicious code as normal users, that code will only be able to trash their user rather than the whole system. If, instead, each installation required an admin password, that would either prevent normal users from actually using their Macs, or it would prompt owners to make all users admin users. It would make us less secure from that standpoint, and the fact that those apps would then have administrator access would make us much less secure. Requiring the admin password is properly reserved for only those special installation cases in which administrator rights are needed.

Now, if you mean that all applications should ask for some sort of authorization before they are copied or installed on to a drive, I have less of a problem with that suggestion. BUT, if that were to be the case, Apple would have to clearly delimit the distinction between normal authorization and administrator rights authentication. Perhaps Apple could allow the admin to check in System Preferences "Prompt users to authorize all software installations." Then when an app would be copied or an installer would open, a dialog box would say something along the lines of "You are attempting to install new software on your Mac using the Finder (or <x installer>). Would you like to continue?" That would just be an idiot warning in case some malicious app tried to sneak something past the user. I would not prompt for a password in this circumstance, because that would be too similar to administrator authentication.

[CharlesS]

Shorter version: Running any installer that asks for an admin password necessarily poses a security risk. Because you gave it your admin password, it can run as root, and basically do whatever it wants. Therefore, you should obviously make sure you trust the source before running an installer for some app.

Fortunately, most apps for Mac OS X these days are drag-and-drop installations which do not require either an installer or an uninstaller. It's one of the best things about OS X, actually.

[chabig]

i just wonder what the installer is doing when it says it need to run a program before it can install the software.

Chris

[Big Mac]

Originally posted by chabig:
i just wonder what the installer is doing when it says it need to run a program before it can install the software.

Chris

I don't follow. . . You're talking about Apple's Installer? Most software is installed through a simple copy of the application bundle. Few third party applications use Apple's Installer. If you are giving a program your administrator password, it has administrative rights to do with what it wishes.

[Chuckit]

Originally posted by chabig:
i just wonder what the installer is doing when it says it need to run a program before it can install the software.

Exactly what it says? It's running a program to ensure that your system is ready for installation, I'd think.

[ghporter]

Originally posted by Tyler McAdams:
I'll say this much.... OS X's installer is much more uniform than XP's

Try this.. make a Power User account on Xp... try to install Quick Time... no go like it should... now try and install real player... goes right through and installs it. POS.

The only thing that worries me is that you can download a program w/o an installer on the Mac... you could do the same thing for windows though too... that's the real worry.

Actually you're pretty much seeing the same thing on Windows XP that you are on OS X. Real Player's installer doesn't do anything that a basic user can do, so it doesn't need authorization to run. See Millenium's post above-it's the same concept.

The biggest difference is that with Windows, a program needs to hook into so many different things that are part of the OS, that it needs something that can reliably hook those hooks, put the files where they can be found, etc. Every OS X program I've installed has seemed to basically unstuff itself, make a new folder, put itself there, and say "Thanks!" I'm sure that there are other things going on in the background, but without the infamous Registry to track, register, inspect, detect, reject, inject and otherwise induct a program, it's a lot smoother.

[TETENAL]

Originally posted by chabig:
i just wonder what the installer is doing when it says it need to run a program before it can install the software.

It's running a script or program that comes inside the installer package. That could be anything. Checking for required hardware or software, checking or deleting previous versions of the software, checking serial numbers, deleting external partitions, launching a Tetris game so you don't get bored during installation, etc. pp.

[Rickster]

Originally posted by chabig:
i just wonder what the installer is doing when it says it need to run a program before it can install the software.

The Mac OS X installer architecture has always provided package authors with the ability to run a program (usually a shell script, but it could be any kind of script or even a binary executable) to determine whether the package should be installable. For example: if you download the 10.3.7 -> 10.3.8 update instead of the "combo" 10.3.8 update, it checks to make sure you're on 10.3.7; update or addon installers for some of Apple's apps check to make sure you have an eligible app isntalled; some app updaters want to make sure you aren't running the app first; etc. By allowing arbitrary program execution, the installer architecture isn't limited in the kinds of checks it can perform to determine whether a package can be installed.

While Installer allowing arbitrary program execution may sound good from a package author's perspective, it does open the possibility to malicious code being hidden in an installer package. These programs/scripts get run with your user privileges, not admin privileges (since they run before the installer prompts for admin authentication), so they can't totally hose your system... but that doesn't mean they could do all sorts of other nasty things, like deleting files in your home folder.

Safari and the "internet-enabled" disk image format introduced the ability for Installer packages to be automatically opened upon downloading, so they added this warning in 10.3. It doesn't really present a question you can usefully answer (since it's hard to know for sure whether any given package will run a good script or a bad script), but it does prevent potentially-malicous code from being automatically executed as the result of clicking a link in a web page.

[romeosc]

Originally posted by TETENAL:
It's running a script or program that comes inside the installer package. That could be anything. Checking for required hardware or software, checking or deleting previous versions of the software, checking serial numbers, deleting external partitions, launching a Tetris game so you don't get bored during installation, etc. pp.

I agree that is why it is so dangerous to download software using peer to peer networks like Limewire etc.... That download of Tiger may EAT YOUR HARD DRIVE!

[Macpilot]

This is what I don't understand: Why is it that sometimes OS X prompts me to input my admin password when installing apps, and sometimes it does not? What determines whether or not that prompt appears?

[CharlesS]

Originally posted by Macpilot:
This is what I don't understand: Why is it that sometimes OS X prompts me to input my admin password when installing apps, and sometimes it does not? What determines whether or not that prompt appears?

What determines whether or not the prompt appears is the IFPkgFlagAuthorizationAction setting in the package's Info.plist file inside its bundle.

Why this is necessary is that some installers need to put stuff in places that only root should be able to write to, such as /usr/local/bin, /etc, or God forbid, /System/Library/Extensions. Other installers don't need root, but they write to admin-writable places like /Applications or /Library, so they ask for the password just in case you're logged in as a non-admin user. The reason the password is required so often with package installers is because usually if you don't need authorization, you don't need a package installer. Drag-and-drop installations usually are perfectly fine for those cases.

[Tyler McAdams]

On the other hand, is it possible that I'm misunderstanding something? Are you saying that all programs should require an Administrator password before the OS will allow them to run for the first time? [/B]

What I'm saying is that form a LAN Administrator's POV a program that does not ask for any rights to install is a security violation and a breach of policy. From the enduser POV, which I believe everybody here is referring from, it is a step backward... in that you no longer have the freedom of non-authentication. Part of the security model of an OS that is designed to use an installer is create a system of authentication that is standardized (which is what XP attempts) and multifaceted such that not only does one need proper rights they also need a proper installation method. (Authentication through the registry and the registration of application components in their proper place.) Basically, you should have the ability to lock down your users choices and the ability to arbitrarily download *any* executable to be run it as they see fit... obviously modified executables being a managed threat. This also implies that the administrator uses the installer as a tool to verify who gets rights to the installed application also.

[Chuckit]

How is this better than the managed-users system in OS X? It sounds like it offers the same benefits with some needless rigidity.

[Tyler McAdams]

Once again it depends on your point of view. Such a system makes it much easier to manage large networks with complex systems. Registry and installer logs along with a *system* managed installer help bring forth a standard for which process can be made easily repeatable and predictable across your entire infrastructure. This makes it much easier to inventory your domains and thus bring control to the administrator. Obviously, this is a rather complex task, but facilities such as driver and application certification help enforce the policies you see fit along with security measures such as outlawing certain executables through anti-virus... plus static and realtime filesystem proofs through programs such as tripwire. Obviously, if you're just talking about your own system, and granted, you're mature enough to understand Admin rights, this makes less sense... but as the more complex your responsibility set gets it brings the power back to you instead of your users who might be surfing porn all day downloading virus after virus file sharing and whatnot. All and all package management should be a responsibility of the OS... Red Hat has done an excellent job with the rpm standard even though people do tend to bitch about the rigidity of it... but once you know why it becomes clear that it makes a great tool.

[Link]

I smell a buzzword whore.

[Tyler McAdams]

And I loved you in Sole Caliber

[chabig]

Originally posted by TETENAL:
It's running a script or program that comes inside the installer package. That could be anything.

That's my point. We don't know exactly what this program might do, so it's kind of pointless to ask for my permission to run if I don't have any knowledge about what it's going to do.

For all I know, the "program" could wipe out my home directory. You don't need an admin password for that.

Chris

[wadesworld]

That's my point. We don't know exactly what this program might do, so it's kind of pointless to ask for my permission to run if I don't have any knowledge about what it's going to do.

For all I know, the "program" could wipe out my home directory. You don't need an admin password for that.

Correct.

This is not a new issue and it's not an issue that's unique to the Mac.

In fact, Unix security diehards will tell you that before you install anything, you should read all scripts associated with the installation, and if the source code is available, read the source code to the application.

When installing a program on Linux, Solaris, OS X or any other Unix, it would be trivial for the author to setup the Makefile to do a "rm -rf *" in your home dir. Or to distribute a ./configure script that deletes your home dir.

Now, we all know how impractical reading Makefiles, scripts and source code is in most cases. So, you're better off taking some common-sense precautions:

1) Wait until reports come in on any wildly popular program that someone told you you just HAVE to have

2) Never, ever, install any software of of any sharing network. Always download from reputable sites.

Wade

[Tyler McAdams]

Here is one solution that trys to control the OS on the network through a virtual machine that is managed by the Admin but can be ran on any PC. That way only the controled VM enviornment accualy sees and connects to the infrastructure network. It's suppoed to basically give the Admin complete control over the OS build and the applications, drivers, versions...etc

http://vmware-svca.www.conxion.com/s.../ace/demo.html

[romeosc]

Originally posted by wadesworld:
Correct.
......

2) Never, ever, install any software of of any sharing network. Always download from reputable sites.

Wade

I think some software developers will soon be using this "technique" to kill software theft.

Just like STDs (sexually transmitted disease) slowed down some sexual contact (or caused people to use protection!), smart users will be more cautious what they install!

[Millennium]

Come to think of it, why don't you just have your users run as non-Administrator-class users, and keep the Admin passwords to yourself?

By doing this, users won't be able to drag apps into /Applications (unless they have the Admin password), which makes it basically equivalent to what you're asking for. Of course, the large amount of software that doesn't need to be in /Applications will still be able to run, but they'll be restricted to living in the user's Home folder (and possibly /Users/Shared).