Path: utzoo!attcan!uunet!bbs!karl From: karl@naitc.naitc.com (Karl Denninger) Newsgroups: comp.unix.admin Subject: Re: Software installation opinions needed Summary: Disagreement here Message-ID: <1990Sep20.160212.241@naitc.naitc.com> Date: 20 Sep 90 16:02:12 GMT References: <25908@shamash.cdc.com> <1990Sep19.125944.6489@cs.utk.edu> Reply-To: karl@bbs.naitc.com (Karl Denninger) Organization: A.C. Nielsen Co. Lines: 59 In article emery@linus.mitre.org (David Emery) writes: >Here's another do/don't do: > > I get VERY UPSET by 3rd party installations that must be done as >'root'. An installation script should NOT require that it be run by the >superuser to do mundane things such as get the stuff off the tape, >build its directory structure, etc. It should be MY decision what >userid owns the software, and to run the installation using an userid >other than root. Besides, in this era of viruses, etc, who knows what >an installation script is doing to your system? > > Generally there is a little bit of installation that must be run >as root, to install things in places like /usr/bin, and /usr/lib. The >right approach (in my opinion) is to provide these scripts separately, >and also provide an alternate approach. Well, you're being not only unrealistic in some cases, but paranoid as well. For commercial software (I publish a package under my own name, not AC Nielsen) there is a good reason to run as root. Namely, you have to do a LOT of things as root to get the package installed. For example, our package requires: o) Installation of two user id's in /etc/passwd under some circumstances (ie: if you select one of the options). o) SUID of the package if you select one of the options; it has to be able to write /etc/utmp if that option is chosen. The package DOES relinquish SUID privs immediately after it does that operation on the /etc/utmp file, which is done prior to allowing the user any input beyond his/her password and login id. o) Installation of a group in /etc/group if it's not already there. o) Creation of a parameter file in /etc (so the rest of the package can "find itself" when it runs). On the plus side, it does tell you exactly what it's doing during installation, and DOES ask you where you want things installed -- including the libraries it uses and the binaries. There's an option for "fast install" which chooses all defaults, but those are also displayed before they're executed. So yes, there are reasons to install as root. For packages which don't do system things, I don't like the idea, but for those which do (and lots do either that kind of thing or install drivers, etc) you've got precious little chance of getting people to break the scripts up. Why? Because I'll give you one guess at how many people will forget to run the second script (to do the "root required" things) and then call tech support asking why the product doesn't work. -- Karl Denninger AC Nielsen kdenning@ksun.naitc.com (708) 317-3285 Disclaimer: Contents represent opinions of the author; I do not speak for AC Nielsen on Usenet.