Install into /usr/local

Alex Satrapa grail at goldweb.com.au
Mon Feb 12 17:10:18 PST 2007 

On 13/02/2007, at 10:49 , Dan Shoop wrote:

> At 12:15 AM +0100 2/13/07, Richard Taubo wrote:
>> With "per default on OS X" I meant out of the box, without being  
>> controlled by a manager or admin.
>> Many systems run without the this type of admin, but can still be  
>> important to the owner.
>
> And is entirely missing the point.

Though to answer the original question, yes it's a good practice to  
make sure that installed programs are owned by an account that will  
not be running any software. Some people will pick "root", some  
people will create a new user for every application (or suite) that  
is installed — and never set ownership to root — for various reasons  
including the perceived risk of privilege escalation vulnerabilities,  
or the simple convenience of having all files that are part of the  
"Postfix" mail server installation being owned by one user (who  
should not be the user that the daemon runs as, to prevent the  
software being corrupted).

The main concern here is to prevent rogue software (or rogue users!)  
overwriting executables that are likely to be used by other users (or  
even the same user, in the case of rogue software such as viruses).  
This is the main reason that Unix is so secure compared to Mac OS 9  
or Microsoft Windows (which has historically allowed the user total  
rights), for example.

A typical scenario is that the various pieces of software that make  
up the Postfix mail server (for example) run under the "postfix" user  
id, all the config files and mail spools are owned by that user (so  
the mail server can manage mail receipt and delivery), but the  
executables are owned by root. The smtpd process needs to read/write  
the files, but under no circumstances should that software be allowed  
to modify itself (or any other executables on the system).

I believe that Dan's message is that *someone* is the administrator  
of the system, regardless of whether it's the owner/operator in a 1- 
man show, or some nominated individual(s) in a larger business/ 
corporation. This person is the one who needs to make the decision,  
and (this is the part Dan hasn't touched on) absent any training the  
safest option for the incumbent is to make sure all software is  
installed as owned by a non-operator user account, with 'root' being  
a safe-ish fallback (as long as programs aren't run as root unless  
they need root privileges).

As a starter, the issue of ownership of binaries versus runtime- 
userid is related to Privilege Separation (http://en.wikipedia.org/ 
wiki/Privilege_separation), or the Principle of Least Privilege. For  
the more technical, there's the "Red Book" (which is now purple, but  
nevermind): http://www.admin.com/Pages/USAH.html, or more  
specifically the Apple Training Series: Mac OS X System  
Administration Reference. They're all heavy reading, but then Unix is  
a heavy operating system.

Alex

More information about the MacOSX-admin mailing list