Portfile magic / xinstall usage / defect?

[Frank Stock]

Got so focused on uid/gid confirmation and creation that I forgot the second part of the Proposal.

Once the preinstallation script has set up users, the installer will still install using root:wheel ownership (if defaulted to “recommended”) *or* if explicitly “preservee” it will assign potentially invalid uid/gids .  
So either way, file ownership still needs to be “fixed".
I noticed in a link Josh provided earlier in the thread that the Tcl code has an ‘mtree’ variable which I assume is similar in purpose to the actual ‘mtree’ command line tool (used by bsd itself to configure the distribution).
I would suggest we either us the Tcl ‘mtree’ or mtree itself to produce an mtree compatible description of the file structure, which can then also be stored in the Scripts directory of the installer, and passed to the mtree executable when the post installation script is run.

-Frank

> On Dec 12, 2023, at 7:51 PM, Frank Stock <fstock at bytelightning.com> wrote:
> 
>> let's first confirm that pkgbuild and Installer.app behave this way
> Confirmed :-)
> 
> I’ve attached a few files to this email, but don’t know if attachements works for the mailing list or not.
> 
> Summary:
> pkgutil defaults all ownership to root:wheel *unless* the "--ownership preserve" flag is explicitly specified (it is not for MacPorts mpkg).
> pkgutil only “preserves” ownership by uid/gid, so target ownership can get cross-mapped if ids are not perfectly aligned and orphaned if non-existent.
> The risk of cross-mapping is quite likely. Given the nature of ports which do specify dedicated users, this presents a significant security risk (when using .pkg installers).
> 
> Testing approach:
> I used the brotli-1.0.9_2-component.pkg created from a "port mpkg brotli" command as a starting basis.
> Exploded to a temp directory using pkgutil "--expand-full" flag.
> Created 3 new users with ids selected for the test.
> Gave ownership of each file inside "include/brotli/*.h" to the 3 new accounts (and ownership of the 4th file to the current user).
> Rebuilt the package (from exploded dir) twice.  
> Once with the default "--ownership recommended” and once with "--ownership preserve”
> Moved the two packages to a target machine.
> Pacifist on the target machine immediately showed the problem.
> “recommended” had all files owned as root:wheel
> “preserve” had all files owned by a number:number (no names).
> Created two of the three accounts on the target machine, left the third undefined, and gave what had been the 3rd id to the 2nd account as its uid/gid.
> (In other words, I intentionally cross-mapped the accounts)
> Relaunched Pacifist and verified that three's file now showed as belonging to two, and twos file just displayed a number.
> To head off any potential questions :-) yes, I also ran the actual macOS Installer and validated that what was installed in each scenario matched Pacifist display.
> 
> I’ve attached .txt file (tst-pkg-file-owners.txt) with the commands and results described above.
> I’ve also attached a bash and zsh compatible script (user-group-utils.sh) for creating users and groups as well as adding users to a group (which probably is not needed).
> Parts of the shell script were written by referring to handle_add_users proc in the MacPorts Tcl.
> Also attached is a little utility script (tst-pkg-file-owners.sh) to make it easy to create users for this specific test.
> 
> Proposal:
> Since MacPorts has existing support for specifying *.pkg pre/post install scripts, we probably can’t just auto-magically handle all of this every time. 
> But I think we could get close.
> Detect the presence of add_users in the Portfile, and *IF* present, 
> 	1. Stick the shell script I’ve attached (user-group-utils.sh or something like it) in the installers ’Scripts’ directory
> 	2. Generate a create-users.sh script that would call the functions in #1 to create needed accounts (group first then user).
> 	3. Document how to call the *generated* "create-users.sh" script from a user supplied pre-install script.
> 	4. If the Portfile does not specify a pre-install script, generate one which in turn calls “create-users.sh”. (e.g. . "$(dirname "$0")/create-users.sh”)
> 
> -Frank
> 
> <user-group-utils.sh><tst-pkg-file-owners.txt><tst-pkg-file-owners.sh>
>> On Dec 9, 2023, at 11:45 PM, Joshua Root <jmr at macports.org> wrote:
>> 
>> On 10/12/2023 16:33, Frank Stock wrote:
>>> So every macOS installer that expect certain ownership, needs a pre/post install script that ensures the expected users exist (or create them).  It should then explicitly set ownership of files with non-default ownership.
>> 
>> Well let's first confirm that pkgbuild and Installer.app behave this way when configured appropriately. If the users and groups do have to be created by custom code in the pkg, doing it in preflight should result in the files being created correctly by the installer with no further intervention.
>> 
>> - Josh
>