IzPack installers with privileged permissions
One common issue when dealing with installers is that they sometimes need to be run with privileged permissions: think root on Unix or an administrator on Windows. Otherwise some operations are not permitted such as writing to /usr/local/ or putting some system-wide entries in the infamous Windows registry.
The classic solution is of course to ask your end-users to run your installer as the right user, but I guess you agree that this is not very user-friendly...
With IzPack things have never been easy on this point, as telling your users to "launch a JVM as an administrator" is all but an easy thing.
There has been a workaround for some time under Windows Vista, as one can wrap an installer JAR into a self-extracting executable using our izpack2exe script. As long as the filename contains "setup" or "install", Windows Vista asks for a privileges elevation. This is of course not really satisfactory, as it requires some further efforts and does not work everywhere (plus you have to ship JAR and EXE versions of the same installer).
Fortunately the latest Subversion trunk of IzPack just fixes that 
The next screenshot shows the result on Mac OS X through the familiar security dialog box.
To do that, we had to make some OS-specific workarounds to relaunch JVMs, as there is unfortunately no way in the Java APIs to ask a JVM to run as a different user (or even better, as what the guest OS calls an administrator).
On Windows, we use a JScript that is an adaptation of the one from Aaron Margosis 'elevate.js' script. On Windows XP, a dialog appears and asks you under which account the application should be run, and on Windows Vista, a privileges escalation is proposed to the user through the familiar UAC machanisms (you know the UAC: it's the thing that constantly pops you to make sure that you indeed clicked there or there ).
On Mac OS X, we use a native universal application that calls the security framework (the source code lives in a Git repository at Github, feel free to reuse!).
Finally on Unix systems we chose a least-common denominator approach by relying on the presence of xterm and sudo.
You can already sample this in a special version of the experimental installer for Glassfish v3 Prelude. Of course you can also checkout the source code from our SVN trunk and see for yourself 
The last thing left to implement is to port the feature to uninstallers, as otherwise they are unable to properly remove what installers had put in the first place.
Feedback is more that welcome! I think this feature will make IzPack-based installers even more appealing... remember: Package Once. Deploy everywhere!
Related posts:
- New IzPack-based installers for GlassFish
- IzPack-based installer for GlassFish v3 Prelude
- IzPack 4.2.0 has been released
- IzPack 4.2.1 released + launching professional services for IzPack
- IzPack and Java Web Start
Enjoy this article?
Info
Twitter Updates
- So good that the 2010 F1 season is kicking off this week-end :-) 1 day ago
- A Grails app in development by past students :-) http://github.com/Neoseifer/seekin/ 2 days ago
- Mozilla is revamping the MPL http://goo.gl/d1pQ 2 days ago
- @pelegri I see the point. 2 days ago
- @alexismp I personaly know that it doesn't affect the strategy, but I'm pretty sure lots of people will actually read into this. 3 days ago
Archives
- March 2010 (1)
- February 2010 (2)
- January 2010 (2)
- December 2009 (8)
- November 2009 (7)
- October 2009 (1)
- September 2009 (3)
- August 2009 (4)
- July 2009 (2)
- June 2009 (3)
- May 2009 (3)
- April 2009 (5)
- March 2009 (7)
- February 2009 (4)
- January 2009 (5)
- December 2008 (8)
- November 2008 (8)
- October 2008 (13)
- September 2008 (8)
- August 2008 (5)
- July 2008 (7)
- June 2008 (9)
- May 2008 (6)
- April 2008 (7)
- March 2008 (4)
- February 2008 (10)
- January 2008 (17)
- December 2007 (8)
- November 2007 (10)
- October 2007 (9)
- September 2007 (13)
- August 2007 (9)
- July 2007 (9)
- June 2007 (18)
- May 2007 (28)
- April 2007 (17)
- March 2007 (8)
- February 2007 (10)
- January 2007 (14)
- December 2006 (8)
- November 2006 (8)
- October 2006 (8)
- September 2006 (17)
- August 2006 (12)
- July 2006 (7)
- June 2006 (15)
- May 2006 (2)
- April 2006 (11)
- March 2006 (5)
- February 2006 (6)
- January 2006 (12)
- December 2005 (3)
- November 2005 (12)
- October 2005 (6)
- September 2005 (11)
- August 2005 (13)
- July 2005 (12)
- June 2005 (16)
- May 2005 (19)
- April 2005 (20)
- March 2005 (19)
- February 2005 (26)
- January 2005 (44)
November 12th, 2008 - 11:54
That’s awesome – the issue of permissions has been troubling me for a long time, especially since (in my case) I can’t rely on administrators being the only users or asking users to launch from the commandline.
Any idea when this might make the main release?
November 12th, 2008 - 12:42
This will get into IzPack in December for 4.2.0.
You may also try it already by compiling the source code by yourself.
January 30th, 2009 - 10:22
This is a great new feature. But how can we use it? Is there a new xml tag for the setup.xml file for Izpack?
January 30th, 2009 - 12:15
Yes Tobi, it’s available now in IzPack 4.2.0.
Add an empty “run-privileged” element in the “info” section.