On Sun, Jan 25, 2009 at 3:19 AM, Kyle Sluder wrote:
> On Sat, Jan 24, 2009 at 9:29 PM, Michael Ash wrote:
>> I'm afraid I don't understand this advice. Could you explain what sort
>> of vulnerability would exist in a custom install tool that would not
>> exist when using Installer.app to install
On Sun, Jan 25, 2009 at 12:54 AM, Chris Hanson wrote:
> On Jan 24, 2009, at 6:29 PM, Michael Ash wrote:
>
>> On Sat, Jan 24, 2009 at 6:08 PM, Chris Hanson wrote:
>>>
>>> Among other things, to be truly secure you must use a secure installation
>>> mechanism. Do not write your own install tool —
On Sat, Jan 24, 2009 at 9:29 PM, Michael Ash wrote:
> I'm afraid I don't understand this advice. Could you explain what sort
> of vulnerability would exist in a custom install tool that would not
> exist when using Installer.app to install a custom package?
It's vulnerable to a timing flaw. In o
But you can also code sign nowadays
On Jan 24, 2009, at 11:54 PM, Chris Hanson wrote:
On Jan 24, 2009, at 6:29 PM, Michael Ash wrote:
On Sat, Jan 24, 2009 at 6:08 PM, Chris Hanson wrote:
Among other things, to be truly secure you must use a secure
installation
mechanism. Do not write your
On Jan 24, 2009, at 6:29 PM, Michael Ash wrote:
On Sat, Jan 24, 2009 at 6:08 PM, Chris Hanson wrote:
Among other things, to be truly secure you must use a secure
installation
mechanism. Do not write your own install tool — it can't be made
secure
without itself being installed via a secur
On Sat, Jan 24, 2009 at 6:08 PM, Chris Hanson wrote:
> Among other things, to be truly secure you must use a secure installation
> mechanism. Do not write your own install tool — it can't be made secure
> without itself being installed via a secure installation mechanism.
> Instead, use Installe
On Jan 24, 2009, at 1:41 PM, Joe Turner wrote:
So, you are saying that I must create an install tool, that installs
my utility that will run as root?
I am saying that, in order to maintain your users' system security,
you must follow the guidance in the Authorization Services Programming
So, you are saying that I must create an install tool, that installs
my utility that will run as root?
On Jan 24, 2009, at 2:23 PM, Chris Hanson wrote:
The proper way to construct everything you've described is discussed
in the Authorization Services Programming Guide.
Authorization
The proper way to construct everything you've described is discussed
in the Authorization Services Programming Guide.
Authorization Services Programming Guide
http://developer.apple.com/documentation/Security/Conceptual/authorization_concepts/index.html
The current, most up-to
I think I figured out how SD does it:
When you unlock SD!, it calls AEWP() on SDAgent. Then, SDAgent calls
setuid(0) to make itself root. With it as root, when it calls SDCopy,
or SDDiskTool, it calls it with AEWP, and since it's root, it doesn't
need the user's password to do this!
This
Cool, thanks!
Then I now have another question: Why not just run chmod on my utility
when it's 'unlocked', and change the userID to 0. Then when it's
locked, change it back to 501?
Or, is this exactly what AEWP() will do?
Thanks!
Cheers,
Joe Turner
On Jan 24, 2009, at 6:47 AM, Michael As
On Fri, Jan 23, 2009 at 10:59 PM, Joe Turner wrote:
> Okay, so, it seems everyone was right :) I went to cocoabuilder to find some
> of the responses to this, that I never got.
>
> Anyways, it seems I can just call AEWP() once, and it should stay suid.
>
> So, my last question to everyone is, how
Okay, so, it seems everyone was right :) I went to cocoabuilder to
find some of the responses to this, that I never got.
Anyways, it seems I can just call AEWP() once, and it should stay suid.
So, my last question to everyone is, how do I know if the tool is
suid. I mean, I could implement s
On 23 Jan 2009, at 05:05, Michael Ash wrote:
On Thu, Jan 22, 2009 at 10:15 PM, Joe Turner wrote:
On Jan 22, 2009, at 4:57 PM, Nick Zitzmann wrote:
On Jan 22, 2009, at 4:09 PM, Joe Turner wrote:
I see. Then, how would you suggest to create a cloner/deleter, if
it
needs root privileges,
On Thu, Jan 22, 2009 at 10:15 PM, Joe Turner wrote:
>
> On Jan 22, 2009, at 4:57 PM, Nick Zitzmann wrote:
>
>>
>> On Jan 22, 2009, at 4:09 PM, Joe Turner wrote:
>>
>>> I see. Then, how would you suggest to create a cloner/deleter, if it
>>> needs root privileges, but cannot use the security framew
On Jan 22, 2009, at 4:57 PM, Nick Zitzmann wrote:
On Jan 22, 2009, at 4:09 PM, Joe Turner wrote:
I see. Then, how would you suggest to create a cloner/deleter, if
it needs root privileges, but cannot use the security framework?
I didn't say you couldn't use the security framework. I said
On Jan 22, 2009, at 4:09 PM, Joe Turner wrote:
I see. Then, how would you suggest to create a cloner/deleter, if it
needs root privileges, but cannot use the security framework?
I didn't say you couldn't use the security framework. I said you ought
to consider re-thinking your strategy.
Thanks again for the speedy responses!
On Jan 20, 2009, at 1:47 AM, Nick Zitzmann wrote:
On Jan 19, 2009, at 7:56 PM, Joe Turner wrote:
That makes sense, but then how does an app like SuperDuper! do it.
You click the lock, enter your password, and then you don't need to
enter your passwor
On Jan 19, 2009, at 7:56 PM, Joe Turner wrote:
That makes sense, but then how does an app like SuperDuper! do it.
You click the lock, enter your password, and then you don't need to
enter your password again until you lock it again. And, it is the
regular security framework password window
On 20/01/2009, at 12:56 PM, Joe Turner wrote:
That makes sense, but then how does an app like SuperDuper! do it.
You click the lock, enter your password, and then you don't need to
enter your password again until you lock it again. And, it is the
regular security framework password window,
On Jan 6, 2009, at 10:45 AM, Nick Zitzmann wrote:
On Jan 3, 2009, at 6:50 PM, Joe Turner wrote:
I am making a hard drive cloner/backuper, and to do some deleting
and copying, I need to use the security framework. What I need to
be able to do is have the user type in their password one time
On 07/01/2009 05:36, "Peter N Lewis" wrote:
> At 18:50 -0600 3/1/09, Joe Turner wrote:
>> I am making a hard drive cloner/backuper, and to do some deleting
>> and copying, I need to use the security framework. What I need to be
>> able to do is have the user type in their password one time, and
>
At 18:50 -0600 3/1/09, Joe Turner wrote:
I am making a hard drive cloner/backuper, and to do some deleting
and copying, I need to use the security framework. What I need to be
able to do is have the user type in their password one time, and
then it would give me system.privilege.admin rights un
On Jan 3, 2009, at 6:50 PM, Joe Turner wrote:
I am making a hard drive cloner/backuper, and to do some deleting
and copying, I need to use the security framework. What I need to be
able to do is have the user type in their password one time, and
then it would give me system.privilege.admin
Hello!
I am making a hard drive cloner/backuper, and to do some deleting and
copying, I need to use the security framework. What I need to be able
to do is have the user type in their password one time, and then it
would give me system.privilege.admin rights until a time that they
want to
25 matches
Mail list logo
