[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: KUNCUserNotificationCallBack

Subject: Re: KUNCUserNotificationCallBack
From: Jeremy Pereira <email@hidden>
Date: Tue, 21 Aug 2007 08:09:24 +0100
Delivered-to: email@hidden
Delivered-to: email@hidden


On 20 Aug 2007, at 16:28, Eric Long wrote:

I think you're mixing up what launchd will do.  By definition an
agent is running on behalf of a particular user, and thus doesn't run
as root.
o Running a GUI program as root is /strongly/ discouraged.
o Vulnerable to what, exactly?
o Authorization Services already has an architecture for running
GUI-oriented security code as a trusted user that is not run (uid 92,
"securityagent").  This is the user that displays the standard
authorisation dialogs, and that's one of the many reasons we
recommend that you do authorisation via Authorization Services.
If I can't use launchd, I must create my own launch app to keep up my agent and add a log-in item for it, my "keep it up" app is being run with the log-in user's privileges. Anyone can kill it, then kill the agent, then I have no UI to tell the user something is wrong.

No. Only the user that owns the process or a user with admin privileges. In the former case, see my comments below, in the latter case you've already lost.

Now, granted, the person killing things off isn't the beneficiary of the UI I might present, pre-supposing that this is someone sneaking his attack while the user has stepped away and the machine was not locked it in screensaver mode, or something similar.

I think the ability to subvert your UI agent is the least of the security issues in this circumstance. The attacker already has access to all of the logged in person's files including, incidentally, the ~/Library/LaunchAgents directory.

But, the actual user, on return, will go on thinking things are normal, if I can't display something to indicate what happened. I can log the events, sure, but that's not exactly the siren I'd like. This is an ongoing protection and I'd like to be able to periodically notify the user of the problem until it is corrected.

I could take extreme action and lock everything down to ensure the user is protected, but that will lead to confusion unless I can also make the user aware of why things are locked down.

Given that the problems with launchd and gui agents is limited to 10.4.x, I could use the KUNC API still present in 10.4.x to address this problem only on those systems. But is that the right thing to do? Is there a better way?
Eric
 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/darwin-kernel/email@hidden
This email sent to email@hidden


_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/darwin-kernel/email@hidden

This email sent to email@hidden

References:
	>Re: KUNCUserNotificationCallBack (From: Eric Long <email@hidden>)

Prev by Date: Re: KUNCUserNotificationCallBack
Next by Date: Re: KUNCUserNotificationCallBack
Previous by thread: Re: KUNCUserNotificationCallBack
Next by thread: Re: KUNCUserNotificationCallBack
Index(es):
- Date
- Thread

Home