All right, those are fair points. But I forgot to mention that what
also worries me about that method is this paragraph from the
Authorization Services Programming Guide:
"You may be tempted to use the function
AuthorizationExecuteWithPrivileges to perform privileged operations
rather than creating and calling your own setuid tool. Although this
might seem like an easy solution, using the
AuthorizationExecuteWithPrivileges function without the rest of the
Authorization Services functions produces a severe security hole
because the function indiscriminately runs any tool as the root user.
Setuid tools also have security risks, but they are far less severe
than using the function AuthorizationExecuteWithPrivileges for
purposes other than those described in this document. Read “Factored
Applications” for instructions on creating your own helper tool."
I don't completely follow that warning. If I have a factored helper
tool, is it important for it to be setuid root? What, even, is the
advantage of using the complex libraries contained in MoreSecurity and
BetterAuthorizationSample. Do people not use them in the real world?
On Tue, Mar 10, 2009 at 1:45 PM, Nick Zitzmann <n...@chronosnet.com>
wrote:
On Mar 10, 2009, at 10:39 AM, Sidney San Martín wrote:
I can make a helper tool that I call with
AuthorizationExecuteWithPrivileges. I already have this working, but
it's vulnerable to attack (if the helper binary is replaced)
Yes, but the chances of that happening are very, very low unless the
same
user who installed the application also installed some malware that
intentionally targeted your app. If that's a concern to you, then
you could
check a checksum or some other signature before invoking AEWP(). But
keep in
mind that (1) malware of any kind on Mac OS X is very rare to
nonexistent,
and (2) you cannot stop a very determined attacker; you can make it
more
difficult to discourage the less determined, but not impossible.
and
apparently has poorly-documented caveats (needing to reap the process
when it's done executing, for one, which is something else I've never
done).
Well, you don't _need_ to reap the zombies if you don't want to.
It'll just
look strange in Activity Monitor, and will waste a little RAM until
the
parent task exits.
Nick Zitzmann
<http://www.chronosnet.com/>
_______________________________________________
Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)
Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com
This email sent to arch...@mail-archive.com
