Portfile magic / xinstall usage / defect?
Frank Stock
fstock at bytelightning.com
Wed Dec 13 02:51:28 UTC 2023
>let's first confirm that pkgbuild and Installer.app behave this way
Confirmed :-)
I’ve attached a few files to this email, but don’t know if attachements works for the mailing list or not.
Summary:
pkgutil defaults all ownership to root:wheel *unless* the "--ownership preserve" flag is explicitly specified (it is not for MacPorts mpkg).
pkgutil only “preserves” ownership by uid/gid, so target ownership can get cross-mapped if ids are not perfectly aligned and orphaned if non-existent.
The risk of cross-mapping is quite likely. Given the nature of ports which do specify dedicated users, this presents a significant security risk (when using .pkg installers).
Testing approach:
I used the brotli-1.0.9_2-component.pkg created from a "port mpkg brotli" command as a starting basis.
Exploded to a temp directory using pkgutil "--expand-full" flag.
Created 3 new users with ids selected for the test.
Gave ownership of each file inside "include/brotli/*.h" to the 3 new accounts (and ownership of the 4th file to the current user).
Rebuilt the package (from exploded dir) twice.
Once with the default "--ownership recommended” and once with "--ownership preserve”
Moved the two packages to a target machine.
Pacifist on the target machine immediately showed the problem.
“recommended” had all files owned as root:wheel
“preserve” had all files owned by a number:number (no names).
Created two of the three accounts on the target machine, left the third undefined, and gave what had been the 3rd id to the 2nd account as its uid/gid.
(In other words, I intentionally cross-mapped the accounts)
Relaunched Pacifist and verified that three's file now showed as belonging to two, and twos file just displayed a number.
To head off any potential questions :-) yes, I also ran the actual macOS Installer and validated that what was installed in each scenario matched Pacifist display.
I’ve attached .txt file (tst-pkg-file-owners.txt) with the commands and results described above.
I’ve also attached a bash and zsh compatible script (user-group-utils.sh) for creating users and groups as well as adding users to a group (which probably is not needed).
Parts of the shell script were written by referring to handle_add_users proc in the MacPorts Tcl.
Also attached is a little utility script (tst-pkg-file-owners.sh) to make it easy to create users for this specific test.
Proposal:
Since MacPorts has existing support for specifying *.pkg pre/post install scripts, we probably can’t just auto-magically handle all of this every time.
But I think we could get close.
Detect the presence of add_users in the Portfile, and *IF* present,
1. Stick the shell script I’ve attached (user-group-utils.sh or something like it) in the installers ’Scripts’ directory
2. Generate a create-users.sh script that would call the functions in #1 to create needed accounts (group first then user).
3. Document how to call the *generated* "create-users.sh" script from a user supplied pre-install script.
4. If the Portfile does not specify a pre-install script, generate one which in turn calls “create-users.sh”. (e.g. . "$(dirname "$0")/create-users.sh”)
-Frank
-------------- next part --------------
A non-text attachment was scrubbed...
Name: user-group-utils.sh
Type: application/octet-stream
Size: 6873 bytes
Desc: not available
URL: <http://lists.macports.org/pipermail/macports-dev/attachments/20231212/38be40f4/attachment.obj>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: tst-pkg-file-owners.txt
URL: <http://lists.macports.org/pipermail/macports-dev/attachments/20231212/38be40f4/attachment.txt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tst-pkg-file-owners.sh
Type: application/octet-stream
Size: 1581 bytes
Desc: not available
URL: <http://lists.macports.org/pipermail/macports-dev/attachments/20231212/38be40f4/attachment-0001.obj>
-------------- next part --------------
> On Dec 9, 2023, at 11:45 PM, Joshua Root <jmr at macports.org> wrote:
>
> On 10/12/2023 16:33, Frank Stock wrote:
>> So every macOS installer that expect certain ownership, needs a pre/post install script that ensures the expected users exist (or create them). It should then explicitly set ownership of files with non-default ownership.
>
> Well let's first confirm that pkgbuild and Installer.app behave this way when configured appropriately. If the users and groups do have to be created by custom code in the pkg, doing it in preflight should result in the files being created correctly by the installer with no further intervention.
>
> - Josh
More information about the macports-dev
mailing list