One thing I really want to do is to have a preflight decide something, and a postflight act on the result.
As it stands, I cannot do that perfectly and safely, because my preflight script would have to drop a cookie file for the postflight to read, and that means the postflight has to know the name of the cookie file. Since they can't communicate, the name has to be hardcoded into the scripts.
That means that a malicious unprivileged user can mess with my script by creating a file or symlink in /tmp with my cookie file's name. If my installer is not super-careful, for instance, it could do touch on a symlink to some special file in the land of sudo, and suddenly, the malicious unprivileged user can sudo.
That sucks. Currently, I avoid this in iLife by going to great pains not to use touch, but rather to attempt to open the cookie file in an exclusive create mode, so if it was already there, I can either leave it alone, or delete it and create it afresh.
Wouldn't it be great if the installer provided some form of shared storage that could be set and read by installer scripts but not by the rest of the world? (somewhat like a refCon)
In the preflight, I could record some arbitrary information. During postflight, I could read it. Since both scripts are handed the refCon by the installer, it can allocate the storage in a known-safe way, and the scripts wouldn't even have to know what's going on. I frankly don't care what the mechanism is, as long as it can't be predicted by outside processes, and as long as it's big enough to store, for example, a pathname to a unix file which I could then create using maketemp.
Ideally, the refCon would be accessible as early as during the distribution script, and be kept alive for all the installers running in the same mpkg.
Are we addressing this in Leopard? I think there's some radar bugs about it already.
|