How do I stop this....

Discussion in 'Mac Apps and Mac App Store' started by Falleron, Feb 7, 2004.

  1. Falleron macrumors 68000

    Falleron

    Joined:
    Nov 22, 2001
    Location:
    UK
    #1
    Ok, how can you stop applications being copied to external devices? Can you protect the applications folder? Still need external devices to be allowed.

    Cheers.
     
  2. Horrortaxi macrumors 68020

    Horrortaxi

    Joined:
    Jul 6, 2003
    Location:
    Los Angeles
    #2
    I'm not too clear on this. Why are your applications being copied to an external drive?
     
  3. Falleron thread starter macrumors 68000

    Falleron

    Joined:
    Nov 22, 2001
    Location:
    UK
    #3
    They are not currently. But, I want to be able to stop software piracy in a lab environment.
     
  4. Rincewind42 macrumors 6502a

    Rincewind42

    Joined:
    Mar 3, 2003
    Location:
    Orlando, FL
    #4
    Re: How do I stop this....

    Your best bet is to get a Key Server. It's what we used at the computer lab I used to work at and basically it works by tagging each application to check in with a central server before it can launch. The server manages license count so you can even deploy applications for all of your machines in cases where you have fewer real licenses.

    It won't stop the user from copying the applications to an external device, but when they try to run it at home the app will just quit stating that it couldn't find the Key Server. Which if you ask me is more divine justice than keeping them from copying in the first place :D .
     
  5. Falleron thread starter macrumors 68000

    Falleron

    Joined:
    Nov 22, 2001
    Location:
    UK
    #5
    Any other solution exist? Freeware ideally? For example, make the Applications folder invisible but still accessible for users?
     
  6. altair macrumors regular

    Joined:
    Nov 22, 2002
    Location:
    Seattle, WA
    #6
    There has to be a way to do this with permissions. I guess someone with linux or unix background would know more.
     
  7. Rincewind42 macrumors 6502a

    Rincewind42

    Joined:
    Mar 3, 2003
    Location:
    Orlando, FL
    #7
    If you go into terminal and do this command:

    chmod u-x /Applications

    it should prevent the user from getting a listing of the applications folder, just beware that you will need to create an alias to each and every application you want the user to be able to use. You will also need to do this to any subfolders of the Applications folder. Depending on your setup, you may also need to revoke from group too (chmod ug-x /Applications). And once you make your aliases (or your dock shortcuts) check each one by doing a "Show in Finder" to make sure the cannot open list the folder somehow.

    Also, you will need to lock out applications that are not already installed. Otherwise there are various applications that they could use to package up whatever they want (heck, they could just use Disk Utility to make a clone of your HD if they have enough space to burn and can boot from the external drive).

    You may also be able to get away with Simple Finder, but there are some SEVERE restrictions and I didn't play around with it all that much to tell what they all are.

    I really do recommend the Key Server, it will save your sanity in the long run.
     
  8. Sweetfeld28 macrumors 65816

    Sweetfeld28

    Joined:
    Feb 10, 2003
    Location:
    Buckeye Country, O-H
    #8
    The Best Solution

    I think that this might be the best solution for your problems. I used to work for a local Community College, we used this program called DeepFreeze for our Dell CAD computers. Well, just recently the company that makes this program, came out with a version for OS X. I asked my old boss how well it works, and he said better than it does on the PCs.

    All that you have to do is Setup your computer the way that you want everthing set, and install the program. Anytime that someone does something to the computer like delete the system folder or something drastic, all you have to fix it is restart the computer. I can't remember if all of the tricks of the program, but i do know that you can download a 60 day trail of it here:

    Faronics DeepFreeze

    Good Luck
     
  9. HexMonkey Administrator

    HexMonkey

    Staff Member

    Joined:
    Feb 5, 2004
    Location:
    New Zealand
    #9
    I don't think this is what Falleron wants. DeepFreeze restores changes on the computer that it is installed on, but it doesn't prevent copying to other devices.
     
  10. Westside guy macrumors 601

    Westside guy

    Joined:
    Oct 15, 2003
    Location:
    The soggy side of the Pacific NW
    #10
    I second (third?) the recommendation for the keyserver.

    I don't see how file permissions could be used for this. If you make a directory non-executable, of course the user can't navigate into it. But it's also going to break any symlinks (soft links) that point to files in that directory.

    Heck, it's supposed to work that way! If it didn't you would have a big glaring potential security hole on your hands. :D So if aliases work differently than symlinks in this case (in other words, if the alias would still work), all I've got to say is this is a bug in OS X that needs to be fixed ASAP! :) This would mean that you could munge an alias together (with enough knowledge about the HFS+ file system) to defeat any security put in place.
     
  11. Fukui macrumors 68000

    Fukui

    Joined:
    Jul 19, 2002
    #11
    Here is your solution.

    Download pathfinder (finder replacement app), right click/get info on the applications folder.

    Choose access tab.

    Unclick all the options for access except for excecution (restricting it to the groups etc that you want).

    Now, as long as the icons are in the dock or aliased somewhere, you can access them, and launch the apps, but you can't see them nor can you copy them.

    You can even "lock" the folder if you want.

    Why these options aren't in the finder is beyond me.... :rolleyes:

    But they are there!

    And, make sure to remove the "Applications" shortcut on the finder sidebar.
    Oh, and make sure your users aren't set up as able to admin...
     
  12. Westside guy macrumors 601

    Westside guy

    Joined:
    Oct 15, 2003
    Location:
    The soggy side of the Pacific NW
    #12
    Pathfinder

    Does Pathfinder stop users from running apps from the command line? That is, prevent them from doing 'open -a appname'?
     
  13. Fukui macrumors 68000

    Fukui

    Joined:
    Jul 19, 2002
    #13
    Re: Pathfinder

    Well, since all pathfinder is doing is altering the UNIX permissions, of course.
     
  14. Westside guy macrumors 601

    Westside guy

    Joined:
    Oct 15, 2003
    Location:
    The soggy side of the Pacific NW
    #14
    Re: Re: Pathfinder

    Hey, thanks Fukui! I've learned something new today, after reading your post there and then experimenting.

    I thought you needed to have "read" permission as well as "execute" permission (at the unix end) to run a program - but that's not the case.

    After reading Fukui's comment, I dropped to the command line and did some playing. If you do a-rw a+x on the apps (NOT on the directory!!!) it works!

    So while you'd probably have to redo this after any time you've repaired permissions or run a software update, you can just 'chmod a=x *' on your apps and it'll do just what you want! Cool!

    But be sure that the directory maintains its "rx" permissions.
     
  15. Fukui macrumors 68000

    Fukui

    Joined:
    Jul 19, 2002
    #15
    Re: Re: Re: Pathfinder

    Or you could do a chron job that "repairs" the permissions the way you want them to...or add a folder action that would alter the permissions of apps that are dropped in... don't know if apple script can alter permissions, it would be cool if it could.
     
  16. Falleron thread starter macrumors 68000

    Falleron

    Joined:
    Nov 22, 2001
    Location:
    UK
    #16
    Thanks. I will give that a go + report back.. :)
     
  17. Falleron thread starter macrumors 68000

    Falleron

    Joined:
    Nov 22, 2001
    Location:
    UK
    #17
    Hmm, the Path Finder does not quite do what I want unfortunatly. If the changes I made in path finder were applied to the finder when I quit then it would be a good step forward.

    What is the effect of "locking" a program? Ie. get info + checking the tick box? Would that stop people copying the locked file to a usb drive?

    Also, how would I "lock" a file from the applications folder? The option is greyed out.
     
  18. Fukui macrumors 68000

    Fukui

    Joined:
    Jul 19, 2002
    #18
    Hmm, I'm not sure exactly what you mean?
    When you quit the pathfinder app? or Quit the system (log out)?

    When I changed permissions in pathfinder, it was immediately changed in the finder and all other apps/processes that attemtped to access any applications in that folder...
     
  19. Falleron thread starter macrumors 68000

    Falleron

    Joined:
    Nov 22, 2001
    Location:
    UK
    #19
    Oh right. When I made the changes + quit the pathfinder app no changed seemed to have been implemented. It does not seem to be saving changed. Is this a limit of the shareware version?

    For example, I changed the chess program to be locked (via apple + I). A few mins later I went back to the info on chess + the check box was not selected for chess being locked.

    Ah, I restarted + my test app (chess) was invisible like I had told pathfinder to do. Just needed a restart. Question though. How do I make it visible again???
     
  20. Fukui macrumors 68000

    Fukui

    Joined:
    Jul 19, 2002
    #20
    No, its still locked, its just that the finder is not smart enough to recheck the properties of the file. If you restart the finder (from the Pathfinder menu) you'll see that it is locked or whatever.

    Here are the properties I set for the Applications folder:
     

    Attached Files:

    • pic1.jpg
      pic1.jpg
      File size:
      38.1 KB
      Views:
      207
  21. Falleron thread starter macrumors 68000

    Falleron

    Joined:
    Nov 22, 2001
    Location:
    UK
    #21
    Thanks. So, what is the result of your permissions? Will this allow the owner to do what they want + allow others to only exectute apps.

    So, for example, if I was to log on as a non administrator what would I see + be able to do?

    I want to be able to stop items being moved out of the folder.
     
  22. Fukui macrumors 68000

    Fukui

    Joined:
    Jul 19, 2002
    #22
    Ok,

    If you do this (change permissions) for the other folders in the Applications folder (Utilities and Applescript etc.) then they cant get to those applications in those folders either (through Apple-Shift-G "Go to Folder" in the finder). You might make all the apps invisible too, just make sure at least there's a dock icon or shortcut somewhere, and that at least root is the owner and still has Read Write and Excecute permissions so you can log in as root at some later time and change them...if you need to.

    The result will be that only the root user (you should make sure your password is very very good) can only view/change/execute the items whereas all other users (in the group you specify) can execute items in those folders (via the dock or shortcut) but cant actually see the items contained (if they choose "reveal in finder" they'll get nothing, even from the terminal ls -ax will just get them a "permission denied") therefore, they absolutely should not be able to copy any apps.

    Or...this might be better, but will take a little more time on your part.

    1 Lock the Applications folder and any other folders inside (Utilities, applescript etc).

    2 Make sure that root is the owner of those folders. (You'll need to activate the root user or be an admin to change it back)

    3 In each application right/control-click and choose "show package contents" no navigate to the "MacOS" folder and inside that folder is the actuall "Executable" file. Change its permissions to only executable from all users except root (keep root as read/write/execute).

    Now, since you locked the applications folder, items can only be copied and not moved out of applications. Secondly, since you changed the real executable to "execute only" when any user tries to copy it, the executable file wont be copied...they can double click it all they want and it wont launch.

    The only downside is, some apps like MS Office and Dreamweaver Photoshop etc might not be "packages." In that case you can choose to make the support folders invisibe like the ones for MS Office (so when they copy the MS Word for example, it cant run because of missing "libraries"), but still others make it near impossible to limit the permissions because they don't conform (its technically long and borring explanation about older carbon apps)...

    The easiest to implement is the first option IMOH...

    Here is a pic of what to do inside each app if you want to go down the harder path:
     

    Attached Files:

    • pic3.jpg
      pic3.jpg
      File size:
      63.1 KB
      Views:
      183
  23. Fukui macrumors 68000

    Fukui

    Joined:
    Jul 19, 2002
    #23
    If you log in as a non-administrator, you should be able to launch the apps from the dock, but not view them at all.
    Clicking on the applications tab in the finder for example, would result in a permissions error.
     
  24. Falleron thread starter macrumors 68000

    Falleron

    Joined:
    Nov 22, 2001
    Location:
    UK
    #24
    Thank you very much for you help. Will give it a try tomorrow + let you know how I get on.

    Cheers again.
     
  25. Fukui macrumors 68000

    Fukui

    Joined:
    Jul 19, 2002

Share This Page