A Basic Guide to Enterprise Application Distribution
Pages: 1, 2

Pacifist

Pacifist uses a package archive's binary file, package.bom located inside of the archive. This file lists the file or directory path, user (UID), group (GID), permissions, modes, and the checksum of files. It is commonly referred to as the "bill of materials" file. Possible modifications made by installer scripts are not included as part of a .bom file. Tracking an installation in this way allows an enterprise administrator to check for security concerns of, or problems with, the package installer.

Continuing with the previous example, iTunes 4.5, Pacifist presents a more complete set of information.

In this dialog, a more complete set of information about the files being installed is presented. Important pieces of information are shown, including:

• The file's owner
• The group
• Permissions
• File type
• Checksums
• Installation location of the package

Pacifist also allows extraction of individual pieces of the package to a temporary location. However, if the package is extracted in this way, it will not run any scripts that are part of the installation as detected by Installer.

Pacifist can also be used as a replacement for the normal Installer, which can be helpful if you're experiencing problems with the software installation package. Additional advantages include the ability to verify existing installations and compare files of an installed package with the files listed in the package installer. It will also detect missing files and files that have different permissions or checksums, and can update prebinding information, either for the entire hard disk, or for an individual folder.

Command-Line Tracking

The last simple way that a package file can be tracked is by using the command-line utility lsbom. This command-line binary interprets the content of the bill of materials file (pkg.bom), and produces output formatted containing the POSIX path of the entry, its mode (octal), and its UID/GID. The tool also does not list possible modifications made by installer scripts.

lsbom -p MUGTsfc iTunes4.bom

drwxrwxr-t root admin .
drwxrwxr-x root admin ./Applications
drwxrwxr-x root admin ./Applications/iTunes.app
drwxrwxr-x root admin ./Applications/iTunes.app/Contents
-rw-rw-r-- root admin Fri Apr 16 15:30:25 2004 13489 ./Applications/iTunes.app/Contents/Info.plist 412288683
drwxrwxr-x root admin ./Applications/iTunes.app/Contents/MacOS
-rwxrwxr-x root admin Wed Apr 21 16:10:52 2004 4696188 ./Applications/iTunes.app/Contents/MacOS/iTunes 1822652320
-rw-rw-r-- root admin Mon Dec 8 19:25:15 2003 8 ./Applications/iTunes.app/Contents/PkgInfo 187102783
drwxrwxr-x root admin ./Applications/iTunes.app/Contents/Resources



Comparing the information with the graphic dialog from Pacifist, an identical set of information is presented. For more information about the command-line switches, read the manual page, man lsbom. An advantage to using the command-line tool is the ability to read scripts run as part of the installation process. For example, in the iTunes 4.5 installer, a script, iTune4.pre_install is included.

#!/bin/sh

if [ -e "/Applications/iTunes.app" ] ; then
rm -rf "/Applications/iTunes.app" 2> /dev/null
fi

/usr/bin/sudo -u $USER "$PACKAGE_PATH/Contents/Resources/InstallHelper" "/Applications/iTunes.app/Contents/Resources/iTunesHelper.app" 2> /dev/null
"$PACKAGE_PATH/Contents/Resources/InstallHelper" 2> /dev/null

exit 0



The use of shell scripts as part of the installation can be used to correct or modify installations before or after they have completed.

Advantages of Tracking Package Installers

Each package that is installed creates a receipt file in /Library/Receipts. As an example, the following listing is from the iLife.pkg.

Note the permission mode setting for /private/var/tmp: drwxrwxrwt. By tracking the installation as shown above, you can check file permissions for inconsistency. If an installer incorrectly modified /tmp, removing the sticky bit, a potential security hole is created, as listed in AusCert advisory AA-95.07. You could then proactively correct any potential security hole discovered in a Receipt file.

Additional Simple Tracking Methods

One very popular type of installation on Mac OS X is the "drag-and-drop" method of installation. Tracking this type of installation is very simple with the command-line tool ls. Using ls with the correct command-line switches, a complete listing of installed files can be created. Using the following command:

ls -latR

produces the following listing for an application.

Much of the information provided is similar to a package installer. However, note that no checksum information is provided as a drag-and-drop installer is simply copying the file from a disk image, and does not have any method for file integrity verification.

Advantages of Using Package Installers

From a developer's standpoint, the advantage of using Packages is tremendous. Why?

• The installation is recorded in /Library/Receipts. The receipt file can become very useful when upgrading a package.
• Permissions of any package installed in the Receipts directory is checked by Disk Utility when running the task "Check Permissions". If at any point a user alters permission unknowingly, a simple use of this task will restore permissions to their installed state.
• It can be distributed throughout an enterprise environment with the use of "http://www.apple.com/remotedesktop"

Hopefully, this basic guide has provided you with additional insight into the basic methods of tracking installations in business and educational environments.

Philip Rinehart is a member of the steering committee leading the Mac OS X Lab Deployment Project (www.macosxlabs.org) and manages Macs as a support specialist at Yale University.

Return to the Mac DevCenter

Post your comments and questions here.
You must be logged in to the O'Reilly Network to post a talkback.

Showing messages 1 through 2 of 2.

• Mac OS X Application Management - White Paper
  2004-06-16 20:37:06  richardglaser [Reply | View]
  
  
  FYI:
  

  Richard Glaser, University of Utah; and Philip Rinehart, Yale University;
  macosxlabs.org steering committee members have written an extensive white paper
  on Mac OS X Application Management. The paper thoroughly covers licensing models,
  security considerations, reviewing & tracking installations, missing Mac
  OS X applications & support, distribution tools, and deployment & distribution
  solutions.

  
  

  The white paper is available for immediate download:

  
  

  http://www.macosxlabs.org/osx_app_mgmt-best_practices.pdf

• WWDC 2004 Session - Application Management
  2004-06-09 17:28:51  richardglaser [Reply | View]
  
  
  FYI:
  
  There will be a session on Application Managment, presented by Philip Rinehart of Yale University and Richard Glaser from the University of Utah. Attend this session and learn about installation, deployment and distribution of Mac OS X software in an enterprise environment. Learn tips and tricks from two enterprise system administrators and steering members of the macosxlabs project. Included in this session will be demonstrations of tools used to troubleshoot current challenges, and techniques to provide solutions for these challenges.
  
  Currently the session name & description aren't very accurate of the actual session, but look for "630 - Network Administration Best Practices for Education". We hope that it will get updated to reflect the session.
  
  See web page for up-to-date info:
  http://developer.apple.com/wwdc/descriptions/descriptions-eit.html