I was surprised when GOG installer asked for Admin password on macOS so I've started digging what is going on under the hood. And found this:

./galaxy_client_1.2.31.8.pkg/galaxyClientFirst.pkg/Scripts/postinstall

function SetPermissions()
{
echo "[5] Setting permissions"
sudo chown -R "$USER" "/Applications/GOG Galaxy.app"
sudo chmod -R 777 "/Applications/GOG Galaxy.app"
chmod -R 777 "${GALAXY_SHARED_PATH}"
xattr -d com.apple.quarantine "/Applications/GOG Galaxy.app"
}

You are setting EVERY app file as executable (why?) and WRITABLE for everyone? So for example guest user can inject any malicious script he wants as "/Applications/GOG\ Galaxy.app/Contents/MacOS/GOG\ Galaxy" and he will get full control over my account whenever I try to run GOG Galaxy? But it gets worse:

./galaxy_client_1.2.31.8.pkg/galaxyClientFirst.pkg/Scripts/GalaxyRedists.pkg/galaxyRedistsFirst.pkg/Scripts/po stinstall

function InstallService()
{
echo "[4] Register service"
sudo -u "$USER" launchctl load -w "${GALAXY_COMMSERVICE_PATH}"
...
}

function SetPermissions()
{
chown -R "$USER":staff "${GALAXY_REDISTS_PATH}"
chown -R "$USER":staff "${GALAXY_SHARED_PATH}"
chmod -R 777 "${GALAXY_REDISTS_PATH}"
chmod -R 777 "${GALAXY_SHARED_PATH}"
chmod -R 777 "${GOG_COM_PATH}"
}

I do not even have to run application, because any user can freely modify file "/Users/Shared/GOG.com/Galaxy/redists/GalaxyCommunication" which is automatically run as "/Library/LaunchAgents/com.gog.galaxy.commservice.plist" service under my $USER in admin group.


Those are CRITICAL security issues!


Please, fix this installer ASAP.
Stop polluting system space and require Admin privileges.
Allow installation in user directory.
Install all required services in ~/Library/LaunchAgents for every user independently.
Give an option to opt-out from GalaxyUpdater process if GOG is installed outside user directory (for example in /Applications) so it won't spam non-admin users for admin password.

Thanks.

I think it would be better to tell this directly to GOG support so that they can see it as soon as possible.

Maybe don't post the critical security issues directly to a public forum instead of directly notifying the people who can fix them.

That's crazy talk!

Having said that, GoG doesn't have a security policy in place.

Such as this one:

https://www.xenproject.org/security-policy.html

Having said that, a lot of companies and software don't. I once spent 3 hours trying to track down how to report a security flaw in (I better not say the platform) and finally posted to one of the mail lists. Got my ass chewed out for it and pointed to a bizarre wiki page that didn't contain the words security, bug, hack or anything related, didn't come up via google because someone had marked it as noindex as a security measure and wasn't linked from any where within the wiki. Said f-u and released the hack publicly to a zero day site. A quick check of their wiki shows it;s still an issue.

I prefer responsible disclosure for more subtle bugs.
Especially those that cannot be fixed by user himself.

But here...
The go+w on service file...
Started from Shared/ space...
As user that belongs to admin group...
With executable dy-linked against another (updater) app...
That creates private *.db files in Shared/ space...
And cannot work properly if another user is logged in...

This is simply broken by design on so many levels.
Whole user isolation model should be refactored and until then people should avoid installing this application. Or at least fix permissions after installation.

I suspect that is also an issue for any of the games that are distributed as PKG instead of DMG.

I've at least noticed they don't make the PKG properly. The full listing of files that will be installed is not available before installing (or ever). Normally the files that will be installed (and where) should be available from the Installer menu as File>Show Files. But nope. Hmm, perhaps that's the developers of the games instead of GOG? Still, there should be some requirement of whoever is abusing the PKG format with games sold from GOG.

Ideally apps are distributed as self-contained so they can easily be installed anywhere, and later thrown in the trash for a completely clean uninstall of all app files. (Though, user preferences will remain in ~/Library for each user.)

Some of this and of what is posted by OP is pointed out in the GOG wishlist for Galaxy by other forum members:
• Mac - Don't use an installer
• Mac - Use default folders for support files (not /Users/Shared...)
• Mac: Allow other users sessions to be running

GOG's developers for Galaxy still haven't addressed these issues. I wonder if anything will get their attention. I'm figuring the Mac version is likely not a priority so they just program it like it won't be installed on an actually Mac.

At least Galaxy isn't required. People can just not use Galaxy until GOG fixes it.

Oh, except for GWENT, the online part. Though, that's a free game so it's not like they're making money off it. :-p

Maybe Mac OS should stop reinventing the wheel so these issues wouldn't be.

Edit: Thanks for the three year old thread revival, that gives me a chance to add some more relevant snark.

Don't worry, gaming on MacOS won't be a problem much longer. (In that it won't exist.)

Thanks for this. I was about to install this on my Mac, as I run it on Windows but then when it asked for my admin password to install the helper file. I just clicked no. Why would I grant that? So am not going to install it on the Mac. It should be able to run without asking for admin password. Mind you it asked for admin password during installation and this was a second time to enter admin password. I thought to search why and found your post. Thanks for posting as it makes us the users also aware of the issue so am glad you did not just post to the GOG team alone but notified us in this discussion. I agree with you, but I think it's also good to let the users know in a discussion forum. His post made me aware that it was right for me to be circumspect why the installation would ask for admin password twice. I don't get this request when installing other apps.

i cancelled the request without providing my root credentials and the installation finished fine. it is wrong for GOG to done this.

STILL an issue?! Weak showing from GOG.

This is part of why I've been harping on GOG to update the Mojo Installer for Linux for literal years.

why would gog bother when nobody cares about mac(or linux).

So gog has saboteurs in its midst.

I buy explicity games that have native linux, because I am using only linux for work and gaming.
Somebody cares about linux. Mind your wide shut windows, perhaps?

or just quota hire , the result is the same
i have no absolutely idea , makes no sense