Re: Access to /usr/local from installer plug-in
Re: Access to /usr/local from installer plug-in
- Subject: Re: Access to /usr/local from installer plug-in
- From: Iceberg-Dev <email@hidden>
- Date: Wed, 9 Dec 2009 22:23:23 +0100
On Dec 9, 2009, at 9:43 PM, Bill Coderre wrote:
On Dec 9, 2009, at 11:38 AM, Stanislav Kolar wrote:
Hello,
I have to write an installer plug-in that asks for some initial
information during the installation process and saves them as a
xml file into /usr/local/my_dir directory.
The problem is that in the method "shouldExitPane" I don't have an
appropriate rights to modify anything in the directory /usr/local...
Is there a solution of my problem ?
In an install that requires Admin privileges, Installer panes run
as the logged in user, so you have to write your info someplace
that THAT user can access.
The only good choice is /tmp in some known filename, and then have
a preflight or postflight write the info into /usr/local. (You
can't use mktemp to generate a temp file securely, because your
preflight and postflight need to know the name of the temp file.)
This presents a security risk. (For instance, some badguy knows you
will be writing into /tmp/MySecretFile, so they create a symlink at
that location, and point it to /kernel.)
Not sure to understand where the security risk is here.
/mach_kernel is root:wheel 644. So if you try to write something into
it from the plugin, you won't be able to. The issue could be that
someone replaces the contents of the MySecretFile after it has been
written and before it has been read by the script. In this case, it
might just be easier to modify the installation script to do some
very bad things.
I could be missing something.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Installer-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden