Post-install Scripts in PEAR 1.4.0

(28)

Do you develop a website? It is infinitely better to synchronize live and development sites using the PEAR Installer

(25)

Using PEAR 1.4.0 to install PEAR packages on a remote host

(19)

doing the PEAR thing

(19)

phpDocumentor and __get/__set/__call - give us your ideas (RFC)

(17)

Syndicate This Blog

RSS 0.91 feed

RSS 1.0 feed

RSS 2.0 feed

ATOM 0.3 feed

ATOM 1.0 feed

RSS 2.0 Comments

Powered by

Serendipity PHP Weblog

Monday, January 31. 2005

An exciting new feature in PEAR 1.4.0a1 I've just completed the arduous work to implement are post-install scripts. A post-install script is a controlled extension to the installation process that is highly configurable and very powerful. In fact, the power is so great, In fact, the power is so great, I will need to spend some time crafting some counter-measures to unfriendly post-install scripts, but that is an issue for the end of this post.

First, the fun stuff.

To understand this post, you need to have a basic understanding of how PEAR works. PEAR is structured around re-distributable archives of PHP files called "packages." A package is defined by a simple file that describes the contents of a package. This file is always called package.xml, and describes the authors, the nature of the package, and the list of files in the package.

Post-install scripts are implemented in package.xml as a task. Tasks were implemented in a rudimentary and undocumented manner in older versions of PEAR with the "replace" tag:

[xml]<file role="php" name="blah.php">
<replace from="@something@" to="version" type="package-info"/>
</file>[/xml]

the PEAR installer would look through the blah.php file and do a simple str_replace('@something@', XXX, contents of blah.php); where XXX is the package version.

In package.xml 2.0, namespace http://pear.php.net/dtd/package-2.0, tasks are implemented as namespace http://pear.php.net/dtd/tasks-1.0. Therefore, our replace task now looks like:

[xml]<file role="php" name="blah.php">
<tasks:replace from="@something@" to="version" type="package-info"/>
</file>[/xml]
Post-install scripts are implemented as php files that contain the postinstallscript task. The following is a post-install script:

[xml]<file role="php" name="blah.php">
<tasks:postinstallscript/>
</file>[/xml]

The following is invalid and will trigger a validation error, as only php files may be post-install scripts:

[xml]<file role="data" name="blah.php">
<tasks:postinstallscript/>
</file>[/xml]

The internal structure of blah.php is also very specific. It must contain a single class named "path_to_file_postinstall" so that our example blah.php must contain:

PHP:


<?php

<br />class blah_postinstall<br />{<br />    var $_ui;<br />    var $_config;<br />    /**<br />     * @param PEAR_Config<br />     * @param PEAR_Frontend<br />     */<br />    function init(&amp;$config, &amp;$ui)<br />    {<br />        $this-&gt;_config = &amp;$config;<br />        $this-&gt;_ui = &amp;$ui;<br />    }</p><p>    /**<br />     * @param array associative array of parameters<br />     * @param string paramgroup name<br />     * @param string either install or upgrade<br />     */<br />    function run($info, $phase, $installtype)<br />    {<br />        return true;<br />    }<br />}<br />

?>

If blah.php were located in a subdirectory, such as foo, the class would be named foo_blah_postinstall. In addition, a basic post-install script MUST contain the methods init() and run() as shown above. The script you see there is the simplest post-installation script that will succeed.

A post-install script is most useful when it can process user input to do setup. PEAR supports three different frontends for installation, the Command-Line Interface (CLI), Web Interface, and GTK Interface. Retrieving input is completely different for all three interfaces. To simplify implementation of this, the parameters must be specified in the package.xml file, and the PEAR Frontend will be responsible for prompting the user and retrieving input. Fortunately, there are a large number of options available for customizing parameters that both simplify validation and eliminate common errors.

Parameters are grouped using a <paramgroup> tag. Each paramgroup has a mandatory id that may only contain letters and numbers, and then a mandatory list of parameters. Here is the simplest <paramgroup> tag possible:

[xml] <paramgroup>
<id>first</id>
<param>
<name>test</name>
<prompt>Testing Thingy</prompt>
<type>string</type>
</param>
</paramgroup>[/xml]

Note that the only type recognized at this stage is "string" but others will follow. A more complex example follows:

[xml] <file baseinstalldir="/" name="sub2.php" role="php">
<tasks:postinstallscript>
<paramgroup>
<id>first</id>
<param>
<name>test</name>
<prompt>Testing Thingy</prompt>
<type>string</type>
<default>hi</default>
</param>
<param>
<name>test2</name>
<prompt>Testing Thingy 2</prompt>
<type>string</type>
</param>
</paramgroup>
<paramgroup>
<id>second</id>
<name>first::test</name>
<conditiontype>preg_match</conditiontype>
<value>g+</value>
<param>
<name>test</name>
<prompt>Testing Thingy a</prompt>
<type>string</type>
<default>hi</default>
</param>
<param>
<name>test2</name>
<prompt>Testing Thingy b</prompt>
<type>string</type>
</param>
</paramgroup>
</tasks:postinstallscript>
</file>[/xml]

This post-installation script has two parameter groups. After the first group is processed, the second group is processed (naturally). However, in this case, the second group is a conditional parameter group. A conditional parameter group examines the user input from previous parameter groups and only displays its parameter prompts if a single parameter fits a test. The condition is defined by three tags, <name>, <conditiontype>, and <value>. Note that all three tags are required or xml validation will fail.

<name> is the parameter name from a previous parameter group. The format of name is groupID::parameterName, so as you see above, "first::test" refers to the <param> first from the <paramgroup> test.

<conditiontype> determines how the parameter input function will process the value of the parameter specified in <name>, and can be one of three values, "=" "!=" or "preg_match".

=: This (obviously) tests whether the parameters value is equal to the <value> tag
!=: This (obviously) tests whether the parameters value is not equal to the <value> tag
preg_match: This uses the content of the <value> tag as if it were the stuff between / and / in a preg_match() function call. Do NOT include // brackets in the regular expression. In the <paramgroup> second, the value "g+" will become
PHP:
<?php preg_match('/g+/', first::test value) ?>

After processing each paramgroup, the frontend post-install script handler calls the "run()" method of a post-install script. In this example script:

[xml] <file baseinstalldir="/" name="sub2.php" role="php">
<tasks:postinstallscript>
<paramgroup>
<id>first</id>
<param>
<name>user</name>
<prompt>Database Username</prompt>
<type>string</type>
<default>hi</default>
</param>
<param>
<name>pass</name>
<prompt>Database Password</prompt>
<type>string</type>
</param>
</paramgroup>
<paramgroup>
<id>second</id>
<name>first::test</name>
<conditiontype>preg_match</conditiontype>
<value>g+</value>
<param>
<name>test</name>
<prompt>Testing Thingy a</prompt>
<type>string</type>
<default>hi</default>
</param>
<param>
<name>test2</name>
<prompt>Testing Thingy b</prompt>
<type>string</type>
</param>
</paramgroup>
</tasks:postinstallscript>
</file>[/xml]

PHP:


<?php

<br />class blah_postinstall<br />{<br />    var $_ui;<br />    var $_config;<br />    var $_user;<br />    var $_pass;<br />    /**<br />     * @param PEAR_Config<br />     * @param PEAR_Frontend<br />     */<br />    function init(&amp;$config, &amp;$ui)<br />    {<br />        $this-&gt;_config = &amp;$config;<br />        $this-&gt;_ui = &amp;$ui;<br />    }</p><p>    function createDatabaseTables($user, $pass)<br />    {<br />        $this-&gt;_user = $user;<br />        $this-&gt;_pass = $pass;<br />        $conn = mysql_connect('localhost', $user, $pass);<br />        mysql_select_db('blah', $conn);<br />        $res = @mysql_query('CREATE TABLE foo { one VARCHAR(20)}');<br />        mysql_close($conn);<br />        return $res;<br />    }</p><p>    function removeDatabaseTables()<br />    {<br />        $conn = mysql_connect('localhost', $user, $pass);<br />        mysql_select_db('blah', $conn);<br />        @mysql_query('DROP TABLE foo');<br />    }</p><p>    /**<br />     * @param array associative array of parameters<br />     * @param string paramgroup name<br />     * @param string either install or upgrade<br />     */<br />    function run($info, $phase, $installtype)<br />    {<br />        switch ($phase) {<br />            case 'first' :<br />                if ($installtype == 'install') {<br />                    return $this-&gt;createDatabaseTables($info['user'], $info['pass']);<br />                }<br />                if ($installtype == 'upgrade') {<br />                    $this-&gt;_ui-&gt;outputData('Tables already created (upgrading)');<br />                }<br />                break;<br />            case 'second' :<br />                $this-&gt;_ui-&gt;outputData('You said:' . $info['test'] . ', and ' . $info['test2']);<br />                break;<br />            case '_undoOnError' :<br />                if (isset($info['first']) &amp;&amp; $installtype == 'install') {<br />                    // database tables were created, undo create on install<br />                    $this-&gt;removeDatabaseTables();<br />                }<br />                break;<br />        }<br />        return true;<br />    }<br />}<br />

?>

You can see a realistic example of the way an install script might work. Note that all output is displayed using the outputData() method of PEAR_Frontend. Anything else could corrupt the display in frontends other than the CLI frontend, rendering your package's install script useless for annoyed patrons of the Web and Gtk frontends.

First, the user is prompted for their database username/password. After both are filled in (the Frontend will not advance until all parameters are filled in, no blank parameters are allowed), the input is passed to the run() method. In this example, the input will be something like this:

PHP:


<?php

$script-&gt;run(array('user' =&gt; 'myusername', 'pass' =&gt; 'mypassword'), 'first'<strike>, 'install'</strike>);

?>

~~The final parameter, $installtype, can be either install or upgrade.~~(No longer true)

If the user cancels processing of the install script, or there is any error, the script will be called with:

PHP:


<?php

$script-&gt;run(array('paramgroupname1' =&gt; true, 'paramgroupname2' =&gt; true,...), '_undoOnError'<strike>, 'install'</strike>);

?>

The first element contains an associative array listing the paramgroups that were successfully processed and executed. In this way, the installation script can clean up any system changes on error in an incremental way.

Security Issues

Obviously, allowing unknown scripts to run at install-time is an inherent security risk, particularly on shared hosts where admins are likely to run "pear upgrade-all"

Because of this, several steps need to be implemented to make install scripts safe. First, the restrictions that I would assume:

Single users are the only people who really need install scripts
It should be possible to run installation scripts after installation is over, perhaps with "pear run-scripts Packagename"

With these restrictions, it should be possible to make installations secure. Necessary steps would be to add a configuration variable "run_installscripts" which would default to 0 (off). When a package is installed that has installation scripts, the user would be notified to run them, and how to do it.

This should kill off the possibility of malicious post-install scripts, while keeping full flexibility. Any other evil scenarios that you can think of should be mentioned now, so I can add in safeguards.

In conclusion, it's been a long time in coming, but PEAR is finally reaching a level of maturity that matches or exceeds the most flexible and robust installation systems out there.

Posted by Greg Beaver in PEAR at 07:43 | Comments (9) | Trackback (1)

Trackbacks

Trackback specific URI for this entry

Update to post-install scripts
Regarding http://greg.chiaraquartet.net/archives/5-Post-install-Scripts-in-PEAR-1.4.0.html, I have taken the suggestions into account and reworked the way post-install scripts work.First off, the xml representation has not changed a bit, but now post-inst

Weblog: Lot 49 - Greg Beaver's blog
Tracked: Feb 07, 11:59

Comments

Display comments as (Linear | Threaded)

It looks interesting � but I�ve read and re-read the docs about PEAR, and a thing that would be really really great, would be to see PEAR live at the same time in /usr/share/php AND in /usr/local/share/php as perl does.

And AFAIK there is no such feature in PEAR, and thats a real *pain* for linux distros packagers/maintainers

#1 MadCoder (Homepage) on 2005-01-31 09:21 (Reply)

to MadCoder:

Two separate installs of PEAR can easily be constructed and maintained, all you need is two separate configuration files, but this has nothing to do with post-installation scripts. Just because it is not done automatically does not make things a real pain. Most users don�t NEED two installations. Please don�t reply to this post with more comments on this issue, but if you have more to say, feel free to post to pear-dev@lists.php.net with your comments.

Greg

#1.1 Greg Beaver (Homepage) on 2005-01-31 12:19 (Reply)

A couple thoughts. About the structure of the postinstall script, why not use __construct() instead of init()? I know we�re in PHP4 land, but why not look forward?

Also, just a random idea�why not tie in a way to run unit tests post-install and revert the install if the tests fail?

On security, I don�t know what other setups are like, but I�ve seen several servers where PEAR was installed by root. That means every pear command after that has to be executed with root priviledges. With the potential for malicious post-install scripts, this seems like a dangerous situation. Perhaps the post-install scripts shouldn�t be runable as root? I dunno.

#2 ryan king (Homepage) on 2005-01-31 10:37 (Reply)

Ryan King said:

> A couple thoughts. About the structure of the postinstall script, why not use __construct() instead of init()? I
> know we�re in PHP4 land, but why not look forward?

init() does not serve the same purpose as a constructor. It instead passes in post-creation values for initialization. If it was a constructor, I would have called it such

> Also, just a random idea�why not tie in a way to run unit tests post-install and revert the install if the tests
> fail?

This may be possible, but certainly not as a default option in the installer without unmaintainable complexity. Per-package install checks would be neat. In order to revert an install, the installer would need to maintain a listing of complete state. This is better handled by a pre-installation script.

> On security, I don�t know what other setups are like, but I�ve seen several servers where PEAR was installed by
> root. That means every pear command after that has to be executed with root priviledges. With the potential for
> malicious post-install scripts, this seems like a dangerous situation. Perhaps the post-install scripts shouldn�t
> be runable as root? I dunno.

I do think that it should be possible to run them manually, but you�re right, automatically is always a bad thing if run as root.

Greg

#2.1 Greg Beaver (Homepage) on 2005-01-31 12:23 (Reply)

It does strike me as a little dangerous, I know �dpkg -i somepackage.deb� will install and run any old installation script (Although AFAIK they should be signed..), I wonder if a simple measure would be:

Error: package ABC.php wants to run an install script,
**IMPORTANT: Please ensure you trust the source of this package ***
then use �pear install �run-scripts ��.� to install it.

I guess if we start signing our packages it may help.. (trusted keys on pear.php.net?)

#3 Alan Knowles (Homepage) on 2005-01-31 15:06 (Reply)

I was thinking exactly the way Alan suggests. Perhaps post-install scripts should truly be post-install however. In other words:

CODE:

$ pear install Blah install OK channel://pear.php.net/Blah **NOTICE: Blah ships install scripts in files: /usr/share/pear/Blah/script1.php /usr/share/pear/Blah/script2.php Please ensure you trust the Blah package. To run the script, use �pear run-scripts Blah� $ pear run-scripts Blah

In this way, there would never be anything automatic about post-install scripts.

This should eliminate the absolute necessity of signing packages, but I do think signing them would be a great thing if the gpg binary wasn�t required to validate them. That eliminates a large number of windows users, since setting up gpg is not a piece of cake.

Perhaps some experts on keys could have more answers.

#3.1 Greg Beaver (Homepage) on 2005-01-31 21:20 (Reply)

One important thing is missing, or I missed to see it. If running the post-install scripts during an upgrade, the install scripts need the old version of the package. Beside that, install vs. upgrade shouldn�t change for different parameter groups, thus it should be passed to init() once, instead of to run() each time. init() could then also be the place to pass the old package version.

#4 Jan Schneider on 2005-02-01 02:42 (Reply)

You�re absolutely right about the old version, and that this should be passed into init().

#4.1 Greg Beaver (Homepage) on 2005-02-01 09:00 (Reply)

Add Comment

Name
Email
Homepage
In reply to
Comment	Standard emoticons like :-) and ;-) are converted to images. E-Mail addresses will not be displayed and will only be used for E-Mail notifications To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly. Enter the string from the spam-prevention image above: BBCode format allowed You can use [geshi lang=lang_name [,ln={y\|n}]][/lang] tags to embed source code snippets
	Remember Information? Subscribe to this entry