For example, I have one local admin on the machine (ID 501) and then any other home directories are portable and managed via OD.

Not that this isn’t dumb, I’m just sayin’….

One correction: The Repair Disk Permissions function in Disk Utility shouldn’t reverse your fixes, since it doesn’t use third-party receipts when “repairing” permissions.

http://www.stepwise.com/Articles/Technical/Packages/InstallerOnX.html

Maybe MS should have known better, but maybe Apple should also have improved their installer years ago. Apple clearly hasn’t cared enough about smaller developers to make a fix, so hopefully MS has a high enough profile that something finally gets done.

Schwieb
MacBU Dev Lead

I love reading these. I hear you voice as I read them. One question. Why are you not working for them, Microsoft? I am very proud of you.

Love, Mom

You’re kidding? It’s not a flaw, it’s a feature. It is the responsibility of the person creating a package to define what permissions should be used. Not being able to figure out the files should be owned by root:admin is like not figuring out that you need to power on a Mac to use it.

Required reading: http://unsanity.org/archives/000410.php

No, it is you who is joking. It is *my* machine, not Microsoft’s or some random third-party developer’s, and *I* get to set what I want. If you’d actually read the link I provided, you’d have seen that the problem lies in the fact that Apple’s Installer will blindly change ownership and permissions. If I wanted to make /Library/Automator/ a+w and owned by group 666 on my machine (for whatever stupid reason), nobody should be changing that without my permission. It is flat out *wrong* for Apple’s software to allow that because it could cripple your whole machine.

“files should be owned by root:admin”

For 99.999% of the software that gets released, it should be able to be installed and run as the current user. It should be the *exception* that software has an installer at all, let alone one that alters permissions by default. Apple simply dropped the ball, and has done so on this issue for years, and you should not defend them in this matter.

You will find this privilege setting idea no different on Linux, HPUX, Solaris, what-have-you… It’s up to you, if you want to override the default privileges, to do so. Not everyone else that has a user account on the machine.

If you want to set the perms for /Library/Automator, then remember to run your post repair script to set those perms back. Scripting isn’t that hard for you, or you wouldn’t be in the CLI to begin with.

Remember that this is Unix-land. A multiuser privilege protected environment. Under your scenario any additional users will not be able to make use of what should be software accessible by all users of the machine without your direct intervention.
You seem to think that everyone would love to have to intervene in such cases because you find you want to.

That’s where you’re just dreaming. There are permissions and ownerships to conform to when building an installation package. If someone plans to install stuff in /Applications or /Library, then the owners have to be root:admin. The permissions should be 775 for folders, 664 for non executable files, etc. It’s not democracy here, it’s security and common sense.

For the record, PackageMaker (or WreckageMaker depending on how much you like this app) includes a tool to check files permissions and ownership against common recommendations.

And anyway, are they not doing QA testing in the MacBU?

Finally, I don’t see why people are that agitated because of this mistake. It’s not as bad as an Intuit update who deleted user’s desktop.

You support my point! It’s about *my* control and not, in this case Microsoft’s control, or *any* random developer’s control. Apple should not be handing off control of your computer to any fool that can create a package, yet that is exactly what they’ve been doing.

“The design, as it stands, allows for the most seamless, least problematic installation and use of software by any user on a given machine.”

Yeah, if you ignore the fact this very article exists for you to respond to. Apple’s own advice is that you should not need an installer to run an app, and I would absolutely agree that there is *nothing* about an office suite that requires administrative access.

“Under your scenario any additional users will not be able to make use of what should be software accessible by all users of the machine without your direct intervention.”

No, under my scenario an individual wouldn’t have to become administrator to use an app themselves, and the *optional* system-wide installation *might* involve getting *write* access to *particular* folders. There is simply no sane reason for an installer to blindly start changing ownership and permissions of entire directory trees. If you can’t refute that very basic point, stop making yourself look bad by trying to make Apple look good.

By the way, I’ve posted a blog entry to Mac Mojo with some terminal commands to fix the file ownership issues. The exec bit issues are hard to fix with a simple terminal command, but we’ll be fixing both in a pending software update.

http://www.officeformac.com/blog/Security-issue-in-Mac-Office-2008-Installer

Now, if Automator exists there and magically chowned to 502, anyone having 502 (generally,the non admin first account for safety) will have right to deploy any Automator script there. E.g. “convert this file to PDF” could well be rm the file.

I hope I am understanding something wrong but it seems this issue.

Also MS BU may have proved the causes of decade old ex NeXT and Mac developers still staying away from Apple pkg format saying it is way too powerful in a bad way.

Speaking about wrong permissions, someone should see the ever ongoing scandal of Adobe (and Macromedia, before) to install Flash with wrong permissions in each build.

Now there is a 502 installed thousands of files issue and as everyone probably knows, not every software user actually cares about updating their system yet alone an office package.

Why wouldn’t Intego which asks $70 for an antivirus program on OS X doesn’t do the same trick as a favour for their paying customers? It is not someones “I am 133t, showing OS X issues” thing like MOAB, it is a very widely installed, top seller office software.