Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Problems with Apple's package installer System
Scott Anguish of Stepwise has written a very good article that discusses some serious problems with Apple's package installer program. It's a bit technical at times, but a couple of key tidbits include:
  • If a package installer encounters a directory that already exists, it will set its permissions and ownership to the permissions of the version in the archive. If the installer maker wasn't very careful with the permissions settings, you may find your Applications folder has new permissions which make it impossible to use (jCalendar originally shipped with such a problem, and the author has now switched to a disk image installer as a result)

  • If you have a symbolic link that points to another directory (if you've moved your Applications directory, for example, and replaced it with a link to the new location), the installer will replace the link with a directory, and any files below that directory will be installed in place. This can also have serious side effects, including disabling your system completely.

  • If the installer package requires your password to launch, then code inside the package that's owned by root will be executed with full root privileges. This makes it very easy for malicious code to damage areas of your system which would normally be protected.
In short, until Apple resolves the problems with the installer maker, you should treat any .pkg file with extreme caution - it could easily disable key portions of your system, and it would be fairly trivial for a malicious hacker to create an installer that does a number of Very Bad Things using root privileges.

This is a tricky situation, as some products (such as mySQL and PHP) seem to require an installer, based on their need to put pieces in a number of locations. In general, avoid the package installers if you can, but if you can't, make sure you (a) have a backup of important data before proceeding, and (b) know and trust the source of the package.
    •    
  • Currently 3.67 / 5
  You rated: 4 / 5 (3 votes cast)
 
[6,508 views]  

Problems with Apple's package installer | 0 comments | Create New Account
Click here to return to the 'Problems with Apple's package installer' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.