WWDC2004 Session 630

Transcript

Kind: captions
Language: en
good morning my name is Gordon chocolate
and i'm here to introduce to you Richard
glacier from the University of Utah and
Phillip Reinhart from Yale University so
the first thing we're unannounced was
that the the Mac os10 labs project is
now moving to becoming mac OS pen
enterprise project and you'll find it at
Mac enterprise org what you're going to
see is that there's a increase of work
that's going to be going on where
they're changing from just lit part
primarily looking at lab deployments to
looking at how you deploy max completely
in the whole lab and they'll be looking
for some additional participation
outside of just higher education so with
that let me turn it over to you to
Richard and we'll go from there okay
today what you learn or we're going to
cover some basics on application and
just distribution next we're going to
cover things you should know I'm
commonly overlooked issues that admin
should know about next we're going to
cover how to track an application what
does install our application really do
to your file system next we're going to
cover finding solutions how to make the
application work in an environment and
lastly we're going to cover distributing
the application what tools and solutions
are available so why is this important
that's probably the most important
question that you should probably ask
yourself first thing is security so you
can find a fixed security issues the
next thing is flexibility it allows an
administrator to easily add remove
upgrade or downgrade applications it
also allows for speed so the means that
you don't have to spend your time
developing new systems and you can
quickly distribute applications fixes
and their updates also allows for
granularity because I can control that
distribution on a per machine per user
or group or for the entire enterprise
and lastly it allows me to log complex
installs with abstract names it allows
me to control the setup details and the
custom a shins to distribute the
application properly so let's talk a
little bit about the deployment
lifecycle what we all deal with every
day
the first thing that we do when we get a
new machine in the doors we assess the
need what is this Mac need to do what
application load set does it need to
have the next logical step is the
creation building and testing of that
load set that you're going to apply to
the machine so you have to figure out
what am I going to put and where am I
going to put it the next step is
actually deploying the application load
set and deploying it in your enterprise
environment and the next and last step
is to patch and update it basically to
address security needs or application
needs and then the process to exist
begins again with assessment of needs as
new machines come in or its machines are
retired so let's talk about some of the
factors in management first thing and
probably the most important thing base
security by doing this it allows us to
find them fix potential security issues
it means that more and more most of us
have an enterprise security policy which
we need to meet and I can meet that
policy by controlling my application
distribution it also minimizes the
impact on the network I don't have to
worry about my machine affecting other
machines and it minimizes the risk of my
machine being compromised by a hacker or
some other user also it gives a uniform
experience for all end users this is
title security but it actually isn't
security it should be consistency means
that I can give a uniform experience for
all end user so that when the user sits
down to their machine they know where
things are and they have certain
expectations that are met it also means
that things break consistently and can
be fixed consistently and that's equally
important because it means if a user
calls me up and says something has
broken I know where to begin to look and
it makes the troubleshooting of
applications simpler the next thing and
this is probably one of the best
benefits of this is it gives me
efficiency it means my time I can use
tools to control and manage that
distribution I can reduce my time spent
developing a new system and I could
minimize the downtime of my systems so
essentially they're up 24 by 7 and the
last thing and probably the thing that
will make your enterprise managers to
mow
happy is cost it reduces the time you
spend managing it means i can use open
source and free tools there are many
open source and free tools used to
manage systems i can also leverage
existing technology and i can deploy in
minutes instead of hours so let's go
back to the create building test phase
the deployment lifecycle so what we're
really going to focus on today is create
build and test what we're going to talk
about is what we should look for when
you're deploying applications in your
environment things you should know this
will be a basic guide to what you need
to worry about the forward distribute
application this flow chart gives you a
basic flow chart of the process and the
first thing is kind of obvious you
install the software next thing you set
the application entering serial numbers
do any default installation third you
customize the application depending on
your environment fourth you track and
debug what you installed on what you've
customized and then make modifications
to get the application to work properly
based on your customizations and then
lastly you distribute and also debug
because certain distribution tools might
cause certain issues with some
applications you might have to make some
modifications next in the cover you
shouldn't always entrust installers the
first issue is sometimes installers are
installed in secure permissions
sometimes installers will not install
the install it correctly are properly
and also sometime installers will
install binaries with elevated
privileges and the next issue that
arises sometimes is sometimes installers
require administrative privileges a lot
of times this isn't necessary for
install and also overuse of the admin
credentials can make it cause people to
be careless and just automatically
entering those in and that could become
a security risk
and lastly if you require admin for
installers it also could stop add non
admin users from installing the software
and the next thing that's another issue
with installers is sometimes they
install in non-standard locations so for
example the root of the file system us
RBI n also installers sometimes will
modify critical file so for example
sometimes installers to make certain
binaries or application launch on login
will modify the users login window dot p
list or the host based library
preferences login window p list and this
can cause a burden for the IT to manage
because you have to manage multiple
login p list or cause problems based on
which user logs logs in might not have
the application experience they need
next on the cover some cover some topics
on insecure permissions the first one
we're concerned about our world our
group writable this is the issue because
this can cause security problems
sometimes an application will require
these for the application to run
properly and the next are special modes
you have su ID or set ID and this can
cause problems because the application
or the binary and application use will
run with the privileges of the owner of
that application this if the application
is not properly set up could be allow
another user compromise your system and
all for the last set group ID you all
have similar issues where it basically
runs with the privileges of that group
and so here's a basic example of the
issues SI su ID application so you have
an ask sui be application and then the
next screen it's owned by root any user
comes in drill below is a non-admin
launches application basically that
binary application runs with root
privileges and if the application does
something improperly it can be used to
either delete files or compromise the
file system this is a real big concern
to enterprise next thing we cover the
process of doing some simple tracking
and the first option is read nice you
see if the installer package has a
readme
rarely in my experience does that give
you any detailed information but it's
your first option next after you've done
their installation you could always look
at the log file and see exactly what its
installed and see if it gives you any
details third you have multiple options
with package installers first I'm going
to cover is Apple's installer utility
the second Raymond cover is a GUI
application called pacifist which is a
package utility and the third one I'm
going to cover is LS bomb which is a
plan line utility that allows you to
view package installers and again now
these always only work with dr. Keiji
installers so here's an example of using
Apple's installer so basically you
launch apples installer utility launch
the Installer then what you have to do
is go step through until you select the
destination then what you'll see is
under the file menu have a show files
option this will basically show you all
the files the Installer will install
before you install again this doesn't
give you a lot of detailed information
you really should have but it's a good
first start another option with the
apples and celery utility is the show
logs option and the show log option is
good because you can actually watch
scripts process a lot of times
installers to either have pre post
scripts that do certain things and you
can actually watch actions they're doing
again this is a give you all the details
you need but the next step next thing we
cover Pass which pacifist which is a
gooey package installer utility if you
see from the screen here octopus gives
you a list of all the applet that see
all the file system items installers
going to install but also gives you some
detailed information it's real important
have so for example you have permissions
and they also have attributes like owner
and group also process is really useful
you can verify taking install and verify
what's an installed on your system it
supports check something another item
that we do a lot is if you need to
custom install an installer or a piece
of an installer in a certain location
you can use pacifist to force it to
install to a custom location also
passwords is good to detect if
something's been deleted on your machine
that you need from an installer
next there's Ellis bond which is a
command line utility that allows you to
view package installers so this first
section here at the top I'm basically
what you want to do usually on package
installers you want to go into content /
resources and for example you could do
an LS and look for the bomb files and
here in this example I'm showing iTunes
so that's the file you want to find then
the next thing you want to do is lift
billo materials or the bomb materials to
show all the contents installers can
install so you basically run this
command the bottom LS bomb minus p mu g
TF FC and then the bomb file you want to
use and it will basically give you a
list of permissions attributes in etc
next and there's some options for
drag-and-drop installers so basically
use the LS or lift command and so here
for example I have a drag-and-drop
installer fugu which is an SFTP FCP
application I download it it launches a
disk image and then I just drag the
application package to everyone in the
file system but for I wanna see what
permissions tab I basically run the
command below LS and I use the
parameters la PR and then he'll give me
a list of permissions attributes etc
next we have Phillip is going to do a
demo of some of the items I talked about
so we switched demo to do a one hour
demo on sorry so basically I'm going to
take our one of our favorite apps I can
and going to show you how we can do some
of the simple things with installer and
how we can some of the things that rich
are just explained so I've pre-launch
this so you can kind of see some of the
things that happen so when you launch
installer there's an option in the file
menu that says right now it's high log
but if I go to the file menu and I say
show log it brings up along and if you
notice I've actually got information
here already and it's basically what
this has done is run it's called the
pre-flight script and you can see the
results of that so watch what happens
now when I hit continue it's actually
going to do
as it runs the script it will actually
do fill that log and there you go you
see that it says show everything I
typically want to see everything that
happens because it's going to talk about
everything that it does now Richard said
that show files only begins to appear
after you've selected a destination so
in this case I've selected original and
then all I have to do is go to file
windows and say show files and notice
that this deals with not only packages
but also meta packages and I can
basically show you all the files that
are installed so that's a useful first
start but what it doesn't do is it
actually misses the checksum it misses
the permissions misses a lot of things
that can be useful so i'm going to show
you the other tool that is the next
logical step after you use installer
which is pacifist and past that this
looks at packages or meta package files
and basically provides you a lot more
information so notice here that I've
brought off the package and the contents
of itunes for package shows me a ton of
information I get to see the size of it
I know the owner of it I know the group
of it and notice that I see the
permissions I also see the original
modification date so this allows me to
take this and view all of the things
that might be important to me and this
little button right here extract 2 is
also really useful because as Richard
said if I want to install it in a
location other than the default location
that installer might put it in I don't
have to depend on that anymore I can now
extract it to any place across the file
system that I have permissions to
extract 2 and the other thing is notice
that it also has the authorization
dialogue so in case you would want to
put it in some place that you may not
normally have access to you can do that
now what I'm going to do is pacifist is
a great GUI tool you can do the same
thing with command line and here's the
example of the command that Richard list
Atlas bombed p and you'll notice when I
do this I get a ton of information a
little bit hard to read right now
because of the
waving line wraps happen but essentially
gives me all the same sort of
information that I just saw in pacifist
so if you're more comfortable to command
line it's one way to do it now the other
thing is for drag-and-drop installers
I'll get it right once so I've listed a
lot there but as you can see when I do
list that's la T capital R what I do now
is it actually gives me all the
permissions information for a
drag-and-drop installer gives me the
group everything else the one thing it
doesn't do is a checksum because there's
really no way that list can support
checksums so it gives me an insight to
what the application actually might be
doing because a lot of drag and drop
installers because of the ignore
ownership flag that is set often when a
developer drag that over and creates it
when you first open it's going to come
down to your file system with it being
completely open and having world write
permissions set so it's just a good idea
to check it before you drag and drop it
or when you drag and drop it then you
can check it so back to Richard
backslide next time and cover things you
might not know but we think are
important to know about here's a list of
some commonly overlooked issues and the
fish issues that we've run into our
broken links and links or aliases with
applications applications that do not
follow the preference hierarchy and by
host preferences which are host specific
file naming and preferences hard-coded
paths directory location limitations
either restricting you to either the
root of the filesystem luda applications
etc file or finder attributes broken
links first thing you have are sometimes
applications will depend on symlinks and
sometimes they'll use absolute path and
this will cause issues if the admin or
user lose a folder or move
or rename the folder or moves the parent
folder or rename the parent folder
aliases prior to Mac os10 to aliases
resolved based on unique ID and tin two
and higher they use the path name
selected symlinks and then use the unite
unique identity second again problems
arise when either the user admin renames
application folder or moves it to a
different location then the issue where
the unique identities will not resolve
is when you use a cloning software like
ASR preference hierarchy this is an OS
system where applications can depend on
the OS to resolve separate scopes to
find preferences issue sometimes happens
when a requires a specific location or
restricts to a specific location you
have options for separate scopes the
first scope you have user space where
you can install the preferences and
users / username / library / preferences
this restrict the preferences just to
that specific user next you have post
post based scopes which could be stored
in library preferences and this is
limited to users of that particular
machine next you have network scopes
which are stored in network library
preferences so here's an example of a
quote-unquote flexible app in a
problematic app the first app uses the
OSS preference hierarchy so the at the
admin or user can basically install
based on their needs in the environment
and can install the preferences in
separate scope so if the admin wants to
install in the user scope they can do
that an application will work properly
else if the admin wants to instead say
they have limited disk space and don't
want to duplicate preferences there's a
lot of preferences could put it in the
host host base coat and then an example
of a problematic app app basically
requires you to use the user space scope
this might cause some problems if you
have for example an application has a
lot of user specific files and it's not
easy for them to move it to host or
network base so
so following on Richards talk about the
Preferences hierarchy the other thing
that we need to talk about when we talk
about preferences by host preferences
now by host preferences are a unique
case because they use a particular
machine specific Hardware address or
hostname for setup so the preface files
often contains that information it
contains either the mac address of the
machine or the host name of the Machine
and the preferences are typically stored
in the either the user scope at tilde
library preferences by host or in the
global directory of library preferences
by host so as an example in our test Mac
machine I've set up my machine that I
want to deploy I set it up exactly like
I want but in the bios folder it has the
set up max host name or the set up max
hardware address so what happens when I
now deploy this when I deploy it and I
put it on my clone mac now the set up
Mac host name is different and the set
up hardware address and is different and
so no longer are those preferences
actually preserved so let's move to
something different that we talked about
hard-coded paths often hard code paths
and tie an application to a default
location with the default name and some
apps actually expect the default install
pathway so they might expect it to be at
the my applications my app folder my app
if they're not there they may not work
properly so when the parent folder is
moved or renamed for clarity it may
actually break the application we also
have directory location limitations
which is also related to hard code paths
that some apps may require installation
at specific locations such as the root
level of the hard disk or the root level
of the applications folder and many
installers and applications don't
support the special characters such as
spaces or the option six character or
other characters that can be added to it
and this particularly causes issue when
you try to update the application or use
features of the application last thing
that we're going to talk about is file
or finder attributes some applications
use file attributes carbon s file
attributes for setup and some
distribution tools don't support this
information
typically the way that you use this is
within the developer tools directory
there's a tool called get file info and
the get file info actually looks at the
carbon resource file and basically tells
you what is stored in that file and
particularly the attributes and it could
be also the creation and the
modification date next to uncover
tracking installation what does the
Installer really do and we've covered
some simple tracking option readme logs
using apple's installer utility past SLS
bomb now we're going to cover some more
complex tracking options uncover
utilities like file buddy command-line
tool called log jam and a suite of tools
called rad mine first what method should
you use and the first option depends on
the technical ability of the admin and
do they know command-line the next you
want to use a GUI air command line some
of the tools do have GUI friends some
don't so maybe not offer all the
features with the GUI that they do with
the command line so you have choices
they're also the accuracy of the tool
you want to use some tools don't track
as well as other or as accurately as
others lastly how does the tool you're
using for tracking installation
integrate into your overall distribution
model again simple tracking it works
great with packages and drag and drop
installers complex tracking you can use
with packages and drag and drop
installers you can also use with
non-apple installers so likewise install
anywhere so here's an example of file
buddy fall buddy was a popular mac OS 9
you file utility those port 80 Mac os10
file buddy has an option where it allows
you to capture a snapshot before and
after install and then you create a
comparison of the before and app after
install it will give you a list of added
items modified items deleted ions etc
and the cons against using file buddy
doesn't support the detailed information
that you usually need like permissions
and attributes and also doesn't support
file checksums so below here's the
graphic if people haven't used file
buddy basically launched five buddy
utility there's an option creative
I shot you take a before snapshot you
install your software set it up doing
the installation customization you do an
after snapshot and then you compare the
before and after and it will output the
files listed below logged in log jam is
a command line utility it's open source
it depends on perl modules in Mac OS 10
3 and it does support detailed
information like permissions and
attributes and also does support file
checksums and it uses a similar method
as file buddy so you basically take a
snapshot of the file system before
install your software set it up do any
customization and then do a scan after
and creates a logs of what's been
different in the file system so here's a
quick example of log jam basically you
logged in you store an s bin so you run
the utility logged in you name whatever
you want to call the before snapshot
then you install the software set it up
then you basically run logged in again
you name the after snapshot and you also
select the before snapshot and you can
either output it to screen or output it
here to changes txt and then the output
below you'll get something similar so it
shows you new file change files or
deleted files rad mine rad mine is a
suite of command line tools rad mine is
a really powerful file system management
tool that could be used to manage whole
file system from tracking to also
distribution right mind does support
detailed information is like permission
and attributes on an group and also
supports checks them and the process of
red line is slightly different than the
other tools what you have to do is set
up a managed file system you update the
client to that manage file system you
install the software set it up and then
you run the rad line tools grab my tools
will scan the file system compared it to
the manage file system and log any
differences
so we're going to talk about advanced
troubleshooting and this kind of might
seem a little bit out of place in
tracking but it really isn't because
typically we want to run the application
as a non admin user and so some of these
sometimes the application may not work
as a non admin user so we have to have a
way of tracking what that application is
trying to do so that we know what to do
with the application for deployment so
most of these are command line tools
some do have GUI interfaces but most are
accessed from the command line the first
one is lsof which lists all open files
the next one is FS underscore usage
which monitors kernel level system calls
and file system activity and the last
one is Kate race which is Colonel
tracing and it's a very low level
tracking mechanism so let's talk about
the first place that you should probably
start list open files this list open
files by processes and has many command
line switches the first one that I have
highlighted here is the list open files
with the desk see switch and what the
dash t switch does is tells it to pay
attention only to an application that
I'm interested in in this case I've said
I only won't care about mail app and so
what it simply does is it tells me all
the activity that's going on on the file
system with mail but only with open
files the other thing that you can do
and is another useful switch is if it's
trying to do something to a particular
directory you can pay attention to just
that application directory with the plus
capital D switch so i can say list open
files plus capital d pay attention only
to the mail app directory so if a normal
user is trying to write to some place
that i don't understand where it's
trying to write to i may capture that
with this command sloth is a GUI for
list open files makes it a little bit
easier because i don't know if you can
actually see it yes you can see it it
has a number of checkboxes to basically
encapsulate the command line switches
and you can also set a filter on it so
that you could really pay attention so
let's move to the next level this is the
next level that you go if list open
files doesn't give you enough
information
you use file system usage has to be run
as root and it's more advanced than FL
sof because it basically tells you every
file that's trying to be accessed across
the entire file system it also reports
in real time and the output is very very
verbose so I've listed the command here
which is FS usage followed by the dust w
which tells me wide output so that I can
see the entire path I nextel if that I
only care about file system object I
don't care about anything else and
that's attached to the process
identifier of the application so that's
what I mean my command I next use grep
to omit cache hit if you don't do this
you're going to find that you have a ton
of output that you actually have to pay
attention to and it can actually get
very chatty and makes it hard to find
what you actually are looking for the
last thing that you should use colonel
trace utility and this is when you have
an application that's doing something
and you cannot solve it in any other way
it handles all calls directly from the
colonel the output is not readable by a
text editor it actually stores it in
machine format and it provides the most
complete set of information so notice
that I have Kate race dash TI Dash P to
the process identifier of the
application then to read that i use
kdump it's going to put a file called
kate race dot out in the directory that
you start typically this is your home
directory and then you can pipe that to
a text file and then you can read it but
as you notice from the example here it's
actually fairly complex and it's not
easy to read if you're going to use que
traes i would suggest reading the manual
page because it will provide you most
information that you need the next thing
that I should say is when you run que
traes it's actually very important
that's you after you have tracked the
application that you actually turn it
off if you don't turn it off it will
continue to monitor until basically your
file system is full so I actually
accidentally forgot to shut it off once
and filled up a 60 gig hard drive in
about four hours because it basically
just continues to monitor every single
kernel level call so read the man page
if you want more information
so Richards going to do a demo over on
demo to what I'm going to show is a two
of the utilities we talked about file
buddy and ran mine note just for sake of
speed and for demo purposes I'm
basically going to use a disk image to
show the demo but you could basically
the entire file system of a real large
hard drive but if you guys want to wait
40 minutes while I do stuff and we could
but anyway so what I'm going to do is
here's the disk image I have basically
tap on it this could be the OS could be
whatever you want I could have a real
diverse file system here but for simply
simplicity and sick of time it's just
real simple so basically I have chest
and what I want to do is I'm going to
show file buddy so I want to do a file
scan a snapshot of the file system so i
launched file Betty and I select take a
snapshot then I select the volume 0 and
take a snapshot of which is the disk
image and I name it so name it before
and in an output next I'm going to stall
an application again for sake of time
I'm just going to do a drag and drop
with my ass so I just drag this over to
the desk image this could be an
installer could be a vice install it
could be complex file system could put
the pieces wherever you want on the file
system again for sake of time just do a
drag and drop so next I again I did
install I did any customization I wanted
then I take a snapshot again and I call
this one after and outputs it and the
next thing i want to do is compare the
before and after snapshots and what it
will do is output a folder that
basically has these files listed in here
i'm going to display those
so you'll see in the new items that list
my app and the package contents there
doesn't list any detailed information
like permissions and attributes there's
also new and modified items nothing
let's modify those only new items on the
file system what I'm doing here which
we'll talk about later is I'm running an
applescript to basically mount the disk
image with a shadow file i wrote the
applescript to remove the shadow so I
could get back to a clean system from so
basically what that did is just mounted
the disk image deleted the shadow file
now mounting it again we'll talk about
that little bit more okay so the next
one shows rad line again I'm back to my
my clean system and rad line one notes
I'll go over this little quickly red
line you set up a default manage file
system which is defined by this command
K again for simplicity this is a real
basic it doesn't have any unmanaged
items on the file system the base image
basically contains my default baseline
image which just contains chess and if
you have questions you can ask me after
rad mine will take a long time to talk
about so again I do my install do any
customizations I want red line does have
command line rd front end but i'm going
to show the command line
the first thing to again I basically CD
to the root of the disk image and the
next thing I'm going to use a command
line tool called fsdf file system
differences I use a minus up Casey which
defines a creative all transcript in a
tradable transcript is when I want to
create a overload to upload and
distribute to other clients the next
parameter is mine of minus lowercase C
which defines checksum and sha wan is
when the checksums red line support dot
current path and then I'm outputting the
transcript that it creates or the
modifications to the disk image to my
apt e but run there goes and will create
a file on my desktop and I'll open that
up for you so you'll notice kind of some
differences here file buddy only lists
some of the contents it uses the date
and size modification date rad mine uses
checksums and gives me detailed
information like permissions so if I use
file buddy I would know that I wouldn't
notice that this application stalls with
rules right that's 0777 so I'd missed
that item also with rad man you can also
check for su ID and I can quickly scan
through the transcript and find those
items would be notified that there are
some concerns here so all right now back
to fly text slides so let's talk about
now that I've actually tracked the
installation and I know what it actually
does how do I actually make it work
because often the developer may not have
the time or may it may be a fix that is
coming down the road how do I actually
make the application work so let's talk
about modifying the default install
there are solutions that you can use
installer we can solve the problems of
installers of solving with superuser
privileges we can use tools to customize
or extracting installer they're also
security solutions where we can modify
the permissions and attributes to
something more acceptable we can use
links to redirect to a user space
instead of the global space you can use
the disc image with the shadow file or
can use login logout or startup scripts
you can also affect the Preferences by
using login or startup scripts for by
host preferences you can move the
Preferences to a different scope so
instead of being in the user scope it
probably or sometimes will work if you
move it to the host or network scope and
the last thing we'll talk about is file
and finder attributes so some on
stallers actually require root
privileges to install because they
require writing to the file system in
places that you cannot write as a normal
user so they're gooey and command-line
options it probably easy as a GUI one is
called pseudo and all you do is you drag
the Installer on top of it and then it
installs as root which means you have
access to the entire file system the
other way you can do it is course is
with the command line you can use the
sudo command and impersonate the root
user you can either open the cocoa
application or you can use the
carbon-based installer the other way
that we talked about a little bit
earlier but this is only solution with
package installers is to use pacifist
and with pacifist it allows you install
to any location across the file system
and it also allows you to extract
individual items for example if an
application actually breaks and you need
to get part of that application out you
can do that with passes so permissions
and attributes what's the simplest way
to actually look at permissions and
attributes simplest methods defined are
using to get info you can't set certain
bits you can't set the execute bit and
you don't have access to the special bsd
bits to set you ID to set GID bits those
are not there so there is an application
freeware I believe that's called x-ray
and allows you to see all the bits on a
file so if you notice the orange box
shows you the special bit to set you ID
the set GID and the sticky bit and then
security bits which are less familiar to
some people the bsd security bits of the
user flags and the root flags the append
all those type of flags are located in
there and you can modify these with
x-ray so what's the quickest way to
reset file permissions I don't really
want to let's say I don't really want to
GUI but I want to be able to go through
and traverse either the application or
the entire file system if I want to look
for every set uid world or group
writable or sets the idea the easiest
way is to use the unix command line find
utility so I've highlighted some of the
options so that you can see how this
actually works the first thing that I do
is I do dash X dash X says I don't care
about network file systems and in this
case I'm not going to start at the root
level I only care about my app so I'm
going to only look into applications my
app directory so that becomes the first
place that it looks the next thing that
I'm doing is I'm looking for world right
permissions permissions of 0777 I then
put the exclamation point and tell it
that I don't care about sticky bit
directories and the reason is because
sticky bits directories are
traditionally considered as a safe
measure of using something that needs to
be world right because you cannot delete
other users files the next thing that I
do is I also add the option of I don't
care if it's a link because links don't
matter so much of the world right the
next and last thing is I actually am
Telling fine that I want verification
every time I go through the entire file
system and what i'm doing here is i'm
using this change mode command mod to
remove the execute bit so it is no
longer world or group rideable now you
can also do this with set you idea set
GID in the same manner except this time
i add the option of that i'm only
looking for file types and that i only
care about to set uid bit and again I'm
using the okay so that ask for
verification so that when I actually
change and remove this at uid bit I have
confirmation that it just doesn't do it
I actually like to be careful that it
i'm actually prompted for an okay could
do the same thing with set GID you just
changed it to zero two thousand the same
thing so let's talk a little bit about
redirection so that you can leave an
application to this default location
symbolic links often will trick an
application into working correctly so as
an example in my applications i have an
application test world right folder i
have a world right folder and in that
folder i basically want to not leave
that folder there i want
redirected to a more benign space so in
this case what I've done is I've
actually symbolically linked that world
right folder to a place that I can put
world right folders that I trust it to
be and so I've redirected to the users
shared directory and that's where I
leave the world right folder you could
also use aliases to fool an application
and sometimes that works as well you can
either use the finder to do it or there
are command-line os10 utilities it's a
source Ford project if you just look for
OSX utils there's actually a make alias
command that's command-line this using
symbolic links also works for directory
location because you can use them to
preserve that location you preserve it
for upgrades and you can give a custom
name to an application without actually
altering the original name it's a little
safer to use the full path if you're
using symlinks not to use relatively
link relative links next time we cover
other options when you tried redirection
modifying permissions and if your
application still does not work properly
the next option is to basically use a
disk image and mount it read write with
a shadow file so my example there where
I had a applescript to mount my disk
image with the shadow file so i could
write to it all modifications i could
basically pipe out to a shadow file and
i could store those in user space or
other locations I deem that wouldn't be
a issue with the file system these are
really useful because sometimes we run
into an application that basically
requires right access to the same
location uses a temp file for example
what you can do is you'll see below
there's an applescript what you want to
do is use do shell script you want to
use the HD ID tool then I give the
pathway to the disc image so application
applications app dmg then i use the
parameter minus shadow then the next
step I do the pathway which I just have
appt shadow so that could I basically do
the path to the user space and say the
shadow file to that location I've used
this on many applications
and it's an ideal solution one thing to
know sometimes the shadow files become
very large if you want either delete
them on log out aren't start up next if
you can't solve an applications issues
with any of those options we've just
talked about one option is using scripts
and with scripts if an application needs
certain files created you could create
those you can remove certain files or
folders that are world right so if an
application does require world right you
can't use a shadow file you could go
back and remove those on log out or on
startup also you can modify preferences
if an application requires certain file
attributes you can modify those with a
script also if you have an application
that does it close properly you can use
a script that kills application properly
again you can run these up login logout
startup or you can put a GUI wrapper in
front of the script file attributes have
revisited some applications depend on
some file attributes or finder
attributes that aren't supported by some
distribution tools so for example we use
the developer toolkit file info I get
the information of the carbon
registration database to gather all the
front of the finder attributes and then
I notice there's one attribute the
application depends on else it'll
reconfigure so what I want to do is use
the set file- d parameter to force the
application to have an attribute it
won't have after i use a distribution
tool next I'm going to cover distributed
application some tools and options and
solutions first how do you distribute
software if it's a package installer you
have multiple options from Apple if you
want to do Network versus local installs
you can use net install ard and there's
a lot of other options or simply
download the Installer to the local
machine install it then there's some
options for managed versus unmanaged and
unmanaged often options we would
consider like apple remote desktop
managed options you could have open
source tools like arsenic acts and read
mine
so let's talk a little bit about
repackaging why you would actually want
to do this the reason that we find
repackaging to be a very useful tool is
because you can take any installer from
any third party or a drag and drop and
you could repackage it this also means
that if I've modified an application
then I put it in a certain directory I
can preserve my corrector permissions so
if I don't like the way it came out of
the box I can modify it repackage it and
that when i distribute it out it
actually has those permissions that are
preserved or any modifications that i
might have done it also means that every
time a user may perhaps let's say we
have a in an enterprise environment a
laptop user if they run the utility
repair permissions it actually looks in
the library receipts directory and pays
attention to those permissions so that
recur X them if to the way that I
originally intended it to be and
probably the best benefit of repackaging
is it means that if I'm an apple remote
desktop or in that install user I can
now use those utilities to distribute
the application which in an enterprise
is a big win so let's talk a little bit
about apple remote desktop now apple
remote desktop with one point two point
one actually includes the ability to
install a package and this is really
really useful because it means that i
now have a package i select install a
package and i can install it to any
group of machines that i've set up to do
so i can also do it with the command
line so for example if i have apple
remote desktop turned on i can actually
or actually even if i don't have apple
remote desktop turned on i can ssh into
that machine i can then use the
kickstart tool which I give the complete
path there but don't worry about writing
it down because it's actually in an AR
in an article knowledgebase article you
can use def H with the help option it
gives you the complete sort of man page
there is no man page for kickstart you
actually have to do the desk h option
and it spits out a long file and the
other thing is that you must use apple
remote desktop 1.21 or later and the
article number and this is where it's
probably if you just write down 1078 37
that's the actual knowledge base article
and it's also an ARD to the other
advantage of a package is if you're big
and debt install you can actually use
netinstall to distribute this package
throughout the enterprise so if I have
mobile users who connect and let's say
you've just purchased a site license for
macromedia MX let's say you've got that
license well now that I packages the
package installer it means they can
attach to that in that install machine
and they can install it and be within
compliance if you have that site license
next I'm going to talk about the
open-source utility rsync X our sink ex
is basically hfs+ implementation of the
rsync protocol a developer has put a
gooey front end in a command line option
to using this utility and the sheet ill
in the past is usually been used to
think say servers or things like that
the rsync protocol is really very
efficient at basically copying the
differences between two file system
options or items so this is a great
utility it's been used a lot in Mac OS
10 deployment one common gets this
utility it doesn't give you granularity
of some other options where you want
maybe just to distribute one specific
file red line again I talked about that
a open source suite of tools it comes
with a lot of different GUI auctions
there's a wrap my assistant that allows
you to edit and view transcripts which
are basically portions of the file
system it also has a rat minus system
that allows you to run the command line
tools through a GUI interface either
creating overloads which again would be
say a particular application install
they have some command line interface
tools two notable ones or fsdf file
system differences l apply loads that
apply red line is a very powerful tool
can be used from the overall
distribution it could be used from
tracking to also file system management
one cig denote by about red line at
rents a trip wire and it's also detect
differences in restore the machine back
base to that manage state so it's a
really useful tool if you're worried
about security the flexible one time
subscribe lines of command
tools it's basically depending on how
you want to script the tools but we run
it manually start up login schedule
single user mode in conditional so if
you have certain higher is the file
system that have been touched you could
actually have read mine start running
and restore the machine to a default
state next we want to just highlight why
you want to test when you're setting up
your application first different
environments different tools you use to
capture the install you might run into
certain issues depending on which tools
you use the captures attracted
installation so it's usually useful to
have a test machine and another machine
that you deploy the tool to and same
thing with distribution methods a lot of
people use there's a large variety of
different methods from sr using GUI
friends like netinstall and etc and
there's other tools like rsync x and rad
mine or just manually going around using
either net install or apple remote
desktop and selling each of these
methods might cause some problems when
you're distributing so you want to also
have a machine to test those on things
to test a lot of these are kind of
obvious but a lot of times people forget
to test these when you distribute
application you wanna make sure help
works printing spell check you know the
pretty global options and then if you
have notable features of the application
you want to test also if the application
has any integration so for example I
likes you want to make sure you don't
break that integration by customizing or
modifying the application install so
we've covered a lot day and I know that
some of it probably went by pretty fast
so we're going to tell you where you can
get more information first of all for
Chris or for Richard in my information
both of us up there that's our email
addresses will try to answer your
question as best we can the other place
that you should know about is Mac os10
labs org both of us actually participate
in this we've written a white paper
which actually talks about many of these
issues and goes into more detail so that
you actually have the time to look at it
there's also a website that we will try
to keep more up to date than the white
paper because
just too hard to keep the white paper up
to date all the time and then Richards
institution the University of Utah has
an application deployment problems and
solutions pages would talk which talks
about applications that they've found
which may or may not work particularly
well in an enterprise