Welcome to NeoOffice developer notes and announcements
NeoOffice
Developer notes and announcements
 
 

This website is an archive and is no longer active
NeoOffice announcements have moved to the NeoOffice News website


Support
· Forums
· NeoOffice Support
· NeoWiki


Announcements
· Twitter @NeoOffice


Downloads
· Download NeoOffice


  
NeoOffice :: View topic - Root Access on Install - Why?
Root Access on Install - Why?
 
   NeoOffice Forum Index -> NeoOffice Releases
View previous topic :: View next topic  
Author Message
EatingPie
Blue Pill


Joined: Mar 22, 2005
Posts: 2

PostPosted: Tue Mar 22, 2005 4:48 pm    Post subject: Root Access on Install - Why?

I have not installed NeoOffice/J as it requested root access during installation. I am now applying a rule that only commercial software, or trusted sources (such as unsanity.com) will get installed on my machine with Admin privelledges.

I am assuming NeoOffice/J requested root access because of the root/admin permissions on my /Applications directory. If this is the *only* reason, I suggest NeoOffice/J allows install in a different directory, with user controlled permissions.

If NeoOffice/J asked for root permission for other reasons, I would certainly like to know them.

-Pie
Back to top
pluby
The Architect
The Architect


Joined: Jun 16, 2003
Posts: 11949

PostPosted: Tue Mar 22, 2005 5:08 pm    Post subject:

Administrator access is required because Neo/J uses OpenOffice.org's multi-user installation. This doesn't require admin access, but in the early days of Neo/J testing, we found that the OOo code has a very bad habit of trying to edit the installed files if the files are owned by the same user that is running Neo/J. This can really muck up a Neo/J installation over time.

So, to prevent the OOo code from editing any of the files in the installation, the installer executes chown -Rf root:admin and chmod -Rf a-w all of the Neo/J files.

Whether you are confortable with this is your choice, but the installer's requirement for admin access will not go away anytime soon.

FWIW, you can inspect all of the custom code that the Neo/J installer performs with admin access by looking within the installer's Contents/Resources directory. In that directory are several shell scripts that perform pre- and post-install actions.

BTW, if you use Unsanity's APE application enhancer and decide to install Neo/J, we have found that APE and Java 1.3.1 (which Neo/J uses for drawing) just do not seem to get along. I suspect Java 1.3.1's non-standard Carbon event queue might have something to do with this.

Patrick
Back to top
EatingPie
Blue Pill


Joined: Mar 22, 2005
Posts: 2

PostPosted: Tue Mar 22, 2005 5:45 pm    Post subject:

Thanks for the reply.

And based on your response, I recommend you add something to the readme file as to why root access is required. (If you did that already, than I am a very bad person for not seeing it!) Based on the info you give here, I would be far more comfortable allowing root access... especially after I check the scripts!

I'm not one to respond to FUD from Symantec, but I'm sure you aware of the recent "discovery" (ie FUD) about coming viruses to the Mac. Well before this, I made the rule of not installing with root privelledges, but now I think even more people will become somewhat leery at the prospect.

-Pie
Back to top
pluby
The Architect
The Architect


Joined: Jun 16, 2003
Posts: 11949

PostPosted: Tue Mar 22, 2005 5:49 pm    Post subject:

Your post also reminded of something that I keep forgetting to do. I need to put a check in the code to prevent Neo/J from starting as root. If you login as root and run Neo/J, the OOo code will happily edit installation files because root can write to anything. So, I need to add a simple if (getuid() == 0) _exit(0) call at the beginning of main().

Patrick
Back to top
sardisson
Town Crier
Town Crier


Joined: Feb 01, 2004
Posts: 4588

PostPosted: Tue Mar 22, 2005 8:59 pm    Post subject:

FYI. This plus the curl question have been added to the NeoOffice/J Installation Issues page in the wiki.

curl doesn't exactly fit there, but it's more appropriate than anywhere else.

It probably would be a good idea to have a small readme of some sort in the installer, if only to reemphasize a few of the obvious things (this is [alpha/beta] open source software, under constant development, check for patches and please file bugs, additional support/help at trinity and neowiki)...particularly as MacUpdate requires direct download links and people downloading from there never see the Planamesa pages....

Smokey

_________________
"[...] whether the duck drinks hot chocolate or coffee is irrelevant." -- ovvldc and sardisson in the NeoWiki
Back to top
Guest






PostPosted: Tue Apr 05, 2005 11:33 am    Post subject: Nothing But Arrogance

" Whether you are confortable with this is your choice, but the installer's requirement for admin access will not go away anytime soon. "


What's wrong with giving the user an option "Yes I know what I am doing" followed by a "You must take these steps after the program is installed: ... "?

Anything less is nothing short of pure arrogance and condescension on the part of the developers.
Back to top
ovvldc
Captain Naiobi


Joined: Sep 13, 2004
Posts: 2352
Location: Zürich, CH

PostPosted: Tue Apr 05, 2005 11:44 am    Post subject: Re: Nothing But Arrogance

Anonymous wrote:
What's wrong with giving the user an option "Yes I know what I am doing" followed by a "You must take these steps after the program is installed: ... "?

Anything less is nothing short of pure arrogance and condescension on the part of the developers.


Well, it is a Mac app. And Mac users, by sheer convention, are never bothered by this kind of technical stuff.

I don't really feel treated condescendingly. And feel free to download, examine and compile the source code. That is the nice part about FOSS, you can check everything and then agree if it is a good idea or not..

In any case, the wiki now has the commands that cause the root acces and you can remove it as you see fit.

_________________
"What do you think of Western Civilization?"
"I think it would be a good idea!"
- Mohandas Karamchand Gandhi
Back to top
Guest also
Guest





PostPosted: Tue Apr 05, 2005 11:44 am    Post subject:

^
|
|
|
|_____Hey, just for the record, that wasn't me!!!! (window coloring thread Guest guy)
Back to top
pluby
The Architect
The Architect


Joined: Jun 16, 2003
Posts: 11949

PostPosted: Tue Apr 05, 2005 11:46 am    Post subject: Re: Nothing But Arrogance

Anonymous wrote:
Anything less is nothing short of pure arrogance and condescension on the part of the developers.


Insulting the developers is an excellent way to ensure that this feature will not be implemented. Wink

Seriously, this is a project staffed by volunteers and we have only limited time to work on this app so we limit what we can support. In the case of Neo/J, we chose to support the multi-user install route. We don't have time to implement and support a separate single-user installer but since Neo/J is GPL, anyone can modify our code and release a single-user installer if they want.

Patrick
Back to top
Guest






PostPosted: Tue Apr 05, 2005 12:30 pm    Post subject: Re: Nothing But Arrogance

pluby wrote:
Insulting the developers is an excellent way to ensure that this feature will not be implemented. Wink


And insulting users is an excellent way to ensure that they never touch the product and bad-mouth it to friends, acquaintances, and strangers they meet in bars... Smile

Apologies for venting frustration in a non-constructive way, but this "we need root to install, so suck it up" attitude is growing more and more prevalent in the OSS community, and I see it as a terrible thing. It's the same sort of arrogance that drove many of us away from Microsoft and Large Vendors... "I don't care if it's your machine, I'm going to make it hard for you to do it any other way than 'my way'."

pluby wrote:
Seriously, this is a project staffed by volunteers and we have only limited time to work on this app so we limit what we can support. In the case of Neo/J, we chose to support the multi-user install route. We don't have time to implement and support a separate single-user installer but since Neo/J is GPL, anyone can modify our code and release a single-user installer if they want.


Understood, but it doesn't look like resources are limited when the installation aborts instead of continuing. It looks (!) like someone went through the extra effort to check and then flip the user the finger if they chose not to give up control of their box.

And everyone's time is limited. "You have the source, go do it yourself" presumes that everyone else has loads of spare time, when in fact we're all time- and resource- constrained. (The fact that a lot of OSS software have such convoluted dependencies that "rolling your own" is more than a full-time job. But that's a different issue.)

And, oddly enough, I did try to get NeoOffice/J to do its dance from scratch. I forget why it failed,now... Perhaps it's time to try again, and to keep better notes.

...and from upstream:
Quote:
Well, it is a Mac app. And Mac users, by sheer convention, are never bothered by this kind of technical stuff.


Some of us are new-to-Mac, and come from other platforms. We only got a Mac because they're now UNIX boxen, and we ARE bothered by this sort of technical stuff.

And until we get better sandboxing tools, it behooves us to provide feedback when we encounter these issues, and to not accept the casual "suck it up and type in the password" dismissals, no matter how politely such insults are phrased, or even if they're intended as such.
Back to top
ovvldc
Captain Naiobi


Joined: Sep 13, 2004
Posts: 2352
Location: Zürich, CH

PostPosted: Tue Apr 05, 2005 1:50 pm    Post subject:

Guest also wrote:
|_____Hey, just for the record, that wasn't me!!!! (window coloring thread Guest guy)


Dude, get a login! And sign a message with your name, if we are to keep you apart from other Smile.

As for the other guest: I came from Windows (reluctantly), and an Amiga before that. And I decided that I trusted Patrick enough to allow his stuff admin access for install purposes. I decide the rest on a case-by-case basis.

But a lot of software, commercial or otherwise, asks for this kind of access. I guess Windows desensitized me to that. I am more careful these days, but I am not as strict as Linux or BSD users.

I suppose it depends on your viewpoint. Most Mac users want the install to work and not screw up and are willing to trust the authors. A few don't.

AFAICT, the ones that don't want hassle are unlikely to figure out what is going on, while the ones who frown on admin rights have the skills to examine the software. Whether you want to take the time is your choice.

And actually, if you decide not to install, you are not technically a user. I really wish you would try Neo/J before badmouthing it. It has great functionality and is not likely to damage your system.

_________________
"What do you think of Western Civilization?"
"I think it would be a good idea!"
- Mohandas Karamchand Gandhi
Back to top
Guest






PostPosted: Tue Apr 05, 2005 7:54 pm    Post subject: Mutual Respect?

ovvldc wrote:
As for the other guest: I came from Windows (reluctantly), and an Amiga before that.


Heh. Amiga here, too, and then minicomputers, then SunOS, Solaris, BSD, then Linux, and now OS X (and a few years in there with MSDOS and MSWindows, but I try to suppress those memories). It's sad when I look back on the days of dual floppies as the days in which I had the most control, greatest comfort, and least concern about security, considering the wide-open nature of the Amiga.

ovvldc wrote:
And I decided that I trusted Patrick enough to allow his stuff admin access for install purposes. I decide the rest on a case-by-case basis.


It's not a matter of how much I do or do not trust Patrick. It's that I shouldn't have to.

ovvldc wrote:
But a lot of software, commercial or otherwise, asks for this kind of access. I guess Windows desensitized me to that. I am more careful these days, but I am not as strict as Linux or BSD users.


This is true -- a lot of software demands more access than it reasonably should. Part of the problem in UNIX is that there isn't a very good way to delegate authority; you tend to get "everything or nothing" access.

And the 'desensitization' issue you raise is a good one. I saw far too much of that back when I worked in a Microsoft-centric shop. I see it happening again the the OSS world, and this bothers me, because I'm convinced the virus/trojan/worm problem in the MSWindows world is directly related to that desensitization, and only weakly related to the security or lack thereof of the underlying platform.

ovvldc wrote:
I suppose it depends on your viewpoint. Most Mac users want the install to work and not screw up and are willing to trust the authors. A few don't.


Again, it's not really a matter of being willing to trust the authors, it's the expectation that's the problem. WHENEVER someone says "just trust me" when there isn't a darn good reason, it's utterly stupid to do so, even if that trust would be justified, in spades. It's the attitude -- the desensitization of the community, if you will -- of trusting ALL the authors that is the danger. And it behooves the better developers to avoid contributing to that problem, lest they be tarred with the same brush.

ovvldc wrote:
And actually, if you decide not to install, you are not technically a user. I really wish you would try Neo/J before badmouthing it. It has great functionality and is not likely to damage your system.


The the lack of a username is deliberate Smile -- I'm not a user (yet). I've _tried_, and been stymied by the install process.

But that's not really the point. Users should avoid insulting developers, as that's not productive. This includes not asking for stupid features ("Can't you put up an animated splash screen with a couple of missiles blowing up the Microsoft Logo? Andy why don't you use C# and Python instead of Java, 'cuz Java sux0rs!"). Likewise, developers ought to avoid insulting their users. This includes trying to avoid being (unconciously, perhaps) patronizing by forgetting that it's the user's machine, only the user's machine, all the user's machine, and not at all the developer's machine.

Mutual respect is a wonderful thing. And I'm sure that NeoOffice/J is a wonderful program. And now I'll go look at the wiki again to see if I can find that mythical fix for the installer. . .
Back to top
pluby
The Architect
The Architect


Joined: Jun 16, 2003
Posts: 11949

PostPosted: Tue Apr 05, 2005 9:01 pm    Post subject:

Requoting the following from earlier in this thread. The following problem is the only thing that prevents the Neo/J installer from not requiring admin access:

pluby wrote:
Administrator access is required because Neo/J uses OpenOffice.org's multi-user installation. This doesn't require admin access, but in the early days of Neo/J testing, we found that the OOo code has a very bad habit of trying to edit the installed files if the files are owned by the same user that is running Neo/J. This can really muck up a Neo/J installation over time.

So, to prevent the OOo code from editing any of the files in the installation, the installer executes chown -Rf root:admin and chmod -Rf a-w all of the Neo/J files.


The specific directory that the OOo code really tries to muck up is the /Application/NeoOfficeJ.app/Contents/share subdirectories. In my prior attempts about a year ago, having the user that installed them own the files didn't work even when I chmoded the files as read only. The OOo code would try to chmod them back to writable and, when it succeeded would change them which, in turn, would make the Neo/J installation unusable for any other users on the same system. Sad

If this problem still exists (I haven't tried it with the OOo 1.1.3 or 1.1.4 code), then we may be stuck with requiring admin access until OOo 2.0.

Patrick
Back to top
Display posts from previous:   
   NeoOffice Forum Index -> NeoOffice Releases All times are GMT - 7 Hours
Page 1 of 1

 
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum

Powered by phpBB © 2001, 2005 phpBB Group

All logos and trademarks in this site are property of their respective owner. The comments are property of their posters, all the rest © Planamesa Inc.
NeoOffice is a registered trademark of Planamesa Inc. and may not be used without permission.
PHP-Nuke Copyright © 2005 by Francisco Burzi. This is free software, and you may redistribute it under the GPL. PHP-Nuke comes with absolutely no warranty, for details, see the license.