1. Copy the LibreOffice App to /Applications (/Programme on German system) using a normal account without admin privileges
2. You get asked to enter admin account/pw, do this
3. Start the german language pack
4. Install German language pack
Result: The german language pack is installed, without getting asked for an admin account and pw. This is wrong. The permissions inside the application binary package seems to be set in a way that modifications are allowed for non-admins, although installed using the admin account. This makes is possible for trojans and viruses to modify the application LibreOffice using the standard account.
Did not add l10n keyword, as this should be the fault of the main application, not the language pack. For the language pack it would be right behavior to fail or ask for admin privileges, so it will be additional work there after chmod is set correctly in the main app.
> binary package seems to be set in a way that modifications are allowed for
> non-admins, although installed using the admin account.
If it is true by default installation, it can be a bug. But I am not sure if the 1st step is the way how an ordinary user installs LibreOffice?
Add Thorsten for review.
My understanding is that the installation process only requires authentication if there is a difference between the user and admin accounts. A lot of users on Mac platforms make themselve Admin by default, so it is not always necessary to provide the authentication password to install software. I have just installed Lib0 rc2 on Mac OSX Tiger 10.4.11 and it did not ask me for an admin password to do so. I repeated the exercise on my Mac OSX 10.6.5 Macbook and again, was not asked for an admin password in order to install LibO.
I then installed the FR Langpack. A password was not requested. There are software packages that behave like this on Mac, but then again, most require that you enter an admin password in order to be able to do so. This is the case, for example, with NeoOffice patches.
The question I would put to the original poster is whether or not the user account also has admin privileges ?
For security reasons it is a good idea to work as non-admin always, even if you are the only user on the system, and only use an admin account for installation purposes. As written when entering the bug: "using a normal account without admin privileges".
You always can just add an additional user without making him admin if you want to try how it behaves. Or add an admin account and revoke the admin rights from the user you usually use.
(really nice and working fine since 10.4 Tiger even on PCC: You can login many users simultaneously, run a VINE server on every one of them, then you have a system for many users to test Mac OS X at the same time)
Hm, maybe I miss something here, but: when I install software on Mac via dragging a folder around (which is the way for tons of apps) - the resulting install, whether in one's home dir, or in /Application, will have this very user as the owner. Quite naturally, this user can then subsequently modify that program.
Not limited to LibreOffice - do that with any software (that does not run a dedicated installer, and may fix things up there), and do a 'ls -l /Applications' - you'll notice the system-provided ones having root:wheel ownership, and your own installs are user:user.
I fail to see what LibreOffice could do to alleviate this problem. If you want it secure, install as an admin, or subsequently chown the directory.