>let's first confirm that pkgbuild and Installer.app behave this way Confirmed :-)
I’ve attached a few files to this email, but don’t know if attachements works
for the mailing list or not.
Summary:
pkgutil defaults all ownership to root:wheel *unless* the "--ownership
preserve" flag is explicitly specified (it is not for MacPorts mpkg).
pkgutil only “preserves” ownership by uid/gid, so target ownership can get
cross-mapped if ids are not perfectly aligned and orphaned if non-existent.
The risk of cross-mapping is quite likely. Given the nature of ports which do
specify dedicated users, this presents a significant security risk (when using
.pkg installers).
Testing approach:
I used the brotli-1.0.9_2-component.pkg created from a "port mpkg brotli"
command as a starting basis.
Exploded to a temp directory using pkgutil "--expand-full" flag.
Created 3 new users with ids selected for the test.
Gave ownership of each file inside "include/brotli/*.h" to the 3 new accounts
(and ownership of the 4th file to the current user).
Rebuilt the package (from exploded dir) twice.
Once with the default "--ownership recommended” and once with "--ownership
preserve”
Moved the two packages to a target machine.
Pacifist on the target machine immediately showed the problem.
“recommended” had all files owned as root:wheel
“preserve” had all files owned by a number:number (no names).
Created two of the three accounts on the target machine, left the third
undefined, and gave what had been the 3rd id to the 2nd account as its uid/gid.
(In other words, I intentionally cross-mapped the accounts)
Relaunched Pacifist and verified that three's file now showed as belonging to
two, and twos file just displayed a number.
To head off any potential questions :-) yes, I also ran the actual macOS
Installer and validated that what was installed in each scenario matched
Pacifist display.
I’ve attached .txt file (tst-pkg-file-owners.txt) with the commands and results
described above.
I’ve also attached a bash and zsh compatible script (user-group-utils.sh) for
creating users and groups as well as adding users to a group (which probably is
not needed).
Parts of the shell script were written by referring to handle_add_users proc in
the MacPorts Tcl.
Also attached is a little utility script (tst-pkg-file-owners.sh) to make it
easy to create users for this specific test.
Proposal:
Since MacPorts has existing support for specifying *.pkg pre/post install
scripts, we probably can’t just auto-magically handle all of this every time.
But I think we could get close.
Detect the presence of add_users in the Portfile, and *IF* present,
1. Stick the shell script I’ve attached (user-group-utils.sh or
something like it) in the installers ’Scripts’ directory
2. Generate a create-users.sh script that would call the functions in
#1 to create needed accounts (group first then user).
3. Document how to call the *generated* "create-users.sh" script from a
user supplied pre-install script.
4. If the Portfile does not specify a pre-install script, generate one
which in turn calls “create-users.sh”. (e.g. . "$(dirname
"$0")/create-users.sh”)
-Frank
user-group-utils.sh
Description: Binary data
Explode with:
pkgutil --expand-full
/opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_perl_p5-mail-spamassassin/p5.34-mail-spamassassin/work/mpkg_packages/brotli-1.0.9_2-component.pkg
ex-brotli
Initial state:
ls -la Payload/opt/local/include/brotli/
drwxr-xr-x 6 root wheel 192 Nov 2 21:08 .
drwxr-xr-x 3 root wheel 96 Nov 2 21:08 ..
-rw-r--r-- 1 root wheel 14323 Aug 27 2020 decode.h
-rw-r--r-- 1 root wheel 17361 Aug 27 2020 encode.h
-rw-r--r-- 1 root wheel 10712 Aug 27 2020 port.h
-rw-r--r-- 1 root wheel 2615 Aug 27 2020 types.h
users
id u_one
uid=756(u_one) gid=756(g_one)
id u_two
uid=757(u_two) gid=757(g_two)
id u_three
uid=758(u_three) gid=758(g_three)
Pre pkg state:
ls -la Payload/opt/local/include/brotli/
drwxr-xr-x 6 root wheel 192 Nov 2 21:08 .
drwxr-xr-x 3 root wheel 96 Nov 2 21:08 ..
-rw-r--r-- 1 u_one g_one 14323 Aug 27 2020 decode.h
-rw-r--r-- 1 u_two g_two 17361 Aug 27 2020 encode.h
-rw-r--r-- 1 u_three g_three 10712 Aug 27 2020 port.h
-rw-r--r-- 1 admin staff 2615 Aug 27 2020 types.h
<-- admin is both cur user and 501
Rebuild two ways... default (aka --ownership recommended), and --ownership
preserve
brotli-UTEST-R-component.pkg
pkgbuild --prior
/opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_perl_p5-mail-spamassassin/p5.34-mail-spamassassin/work/mpkg_packages/brotli-1.0.9_2-component.pkg
--root "ex-brotli/Payload" --scripts "ex-brotli/Scripts"
brotli-UTEST-R-component.pkg
brotli-UTEST-P-component.pkg
pkgbuild --prior
/opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_perl_p5-mail-spamassassin/p5.34-mail-spamassassin/work/mpkg_packages/brotli-1.0.9_2-component.pkg
--ownership preserve --root "ex-brotli/Payload" --scripts "ex-brotli/Scripts"
brotli-UTEST-R-component.pkg
------ Before creating users/groups on target ---------
Install "recommended" on target
ls -la /opt/local/include/brotli/
drwxr-xr-x 6 root wheel 192 Nov 2 21:08 .
drwxr-xr-x 3 root wheel 96 Nov 2 21:08 ..
-rw-r--r-- 1 root wheel 14323 Aug 27 2020 decode.h
-rw-r--r-- 1 root wheel 17361 Aug 27 2020 encode.h
-rw-r--r-- 1 root wheel 10712 Aug 27 2020 port.h
-rw-r--r-- 1 root wheel 2615 Aug 27 2020 types.h
Install "preserve" on target
ls -la /opt/local/include/brotli/
drwxr-xr-x 6 root wheel 192 Nov 2 21:08 .
drwxr-xr-x 3 root wheel 96 Nov 2 21:08 ..
-rw-r--r-- 1 756 756 14323 Aug 27 2020 decode.h
-rw-r--r-- 1 757 757 17361 Aug 27 2020 encode.h
-rw-r--r-- 1 758 758 10712 Aug 27 2020 port.h
-rw-r--r-- 1 franks staff 2615 Aug 27 2020 types.h
<-- franks is both cur user and 501; staff is 20 on both machines.
------ Create one & two (but not three) on target ---------
------ NOTE: two given id that three had on src ---------
users
id u_one
uid=756(u_one) gid=756(g_one)
id u_two
uid=758(u_two) gid=758(g_two) <-- Note id is what was three's
id on src machine
id u_three
id: u_three: no such user
Install "recommended" on target
ls -la /opt/local/include/brotli/
drwxr-xr-x 6 root wheel 192 Nov 2 21:08 .
drwxr-xr-x 3 root wheel 96 Nov 2 21:08 ..
-rw-r--r-- 1 root wheel 14323 Aug 27 2020 decode.h
-rw-r--r-- 1 root wheel 17361 Aug 27 2020 encode.h
-rw-r--r-- 1 root wheel 10712 Aug 27 2020 port.h
-rw-r--r-- 1 root wheel 2615 Aug 27 2020 types.h
Install "preserve" on target
ls -la /opt/local/include/brotli/
drwxr-xr-x 6 root wheel 192 Nov 2 21:08 .
drwxr-xr-x 3 root wheel 96 Nov 2 21:08 ..
-rw-r--r-- 1 u_one g_one 14323 Aug 27 2020 decode.h
-rw-r--r-- 1 757 757 17361 Aug 27 2020 encode.h
-rw-r--r-- 1 u_two g_two 10712 Aug 27 2020 port.h
-rw-r--r-- 1 franks staff 2615 Aug 27 2020 types.h
tst-pkg-file-owners.sh
Description: Binary data
> On Dec 9, 2023, at 11:45 PM, Joshua Root <[email protected]> wrote: > > On 10/12/2023 16:33, Frank Stock wrote: >> So every macOS installer that expect certain ownership, needs a pre/post >> install script that ensures the expected users exist (or create them). It >> should then explicitly set ownership of files with non-default ownership. > > Well let's first confirm that pkgbuild and Installer.app behave this way when > configured appropriately. If the users and groups do have to be created by > custom code in the pkg, doing it in preflight should result in the files > being created correctly by the installer with no further intervention. > > - Josh
