site_archiver@lists.apple.com Delivered-To: installer-dev@lists.apple.com Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=kDEc7jqp7d+mfWN6hRUSnwjkUa3aMUtl820K7AE8+Ag=; b=rn4cz7A0eKvEQZRqFrt7jmedBQ3IC6WuTsizZcsWP2HLkvzw4N4QwqNdt8YDVBbOjT bfTg/3AjLIf9tMyplc4vAzodJbLhBYzeXJxxDDs+kahmqbFwAcwEcQYAmLBFTqc7KPeK JYsDvnaDqGdKUtyIaCfAqz4OrHj/EqS27a31Y= Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=og2IPzPo1aGj1p9yF3228iuAoXZajYYJqM4Q8myDwVRQmjUzemwTthX3avkYG6ysDN a8od4J/DA7BKDmItZ3uQtQfK07JFk6yTVSeFyPy1mVWW/OUy+jhO6Gm9KSqtVyq+xkGn tSldouwcI4AGieteUVv5tXIrTX9hygOE9TvFA= On Sat, Aug 14, 2010 at 2:37 AM, Monte Benaresh <monte@paceap.com> wrote:
Hello All,
One of our installers installs a daemon to /Library/PrivilegedHelperTools/. I have written a bash script to enforce the security recommendations in TN2083, which says that this directory, and all of its parents, must have certain permissions and must be owned by "root" in order to prevent an unauthorized process from substituting their own daemon in place of ours.
Our problem is, one of our Beta users has "/" owned by "_spotlight", and so we fail to install due to the security checks in our preflight script as alluded to above. Disk Utility does not repair this problem.
We are concerned that this will be a support issue, so our questions are:
1. Can we securely allow "/" to be owned by other than "root"?
No.
2. Is it permissible for us to change the owner of "/" to "root"? 3. If either /Library/ or Library/PrivilegedHelperTools/ is not owned by "root" is it permissible for us to change the owner to "root"?
This could be done either using the Overwrite directory permissions flag or through a postinstall script. The problem you may need to consider is that by reverting the owner to root, you may enable some unwanted (bad) process to run. _______________________________________________ Do not post admin requests to the list. They will be ignored. Installer-dev mailing list (Installer-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/installer-dev/site_archiver%40lists.a... This email sent to site_archiver@lists.apple.com