Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: How to pass parameter including match symbol like "*" to command executed by AuthorizationExecuteWithPrivileges?

As a general security consideration, privileged commands
should do as little as possible and do highly specific
things.  This minimizes the chance a mistake or exploit
can cause more damage than it should.

In this case, you probably should resolve the glob ("*")
first while unprivileged, and then call a sequence of
highly specific "rm" commands with the results.

The standard C library in <glob.h> (among other approaches)
handles "*".  Run "man 3 glob" in a terminal for more
information on the glob() function.

e.g. glob("test*.txt") might yield test1.txt and test2.txt.
With those results, you could generate commands like:
     "rm test1.txt"
     "rm test2.txt"
(or simply "rm test1.txt test2.txt").


Why are you telling him to run shell commands/scripts with AuthorizationExecuteWithPrivileges()? Awfully dangerous.

There is no shell or script in the privileged part above, because the API
doesn't accept a command line as a string (which is good): it accepts separate
arguments as verbatim strings. While I wrote a string "rm test1.txt", this
has to become a vector like ("/bin/rm", "test1.txt").

The original poster said "rm test*.txt", which written as-is *would* require
a shell run as root. My glob() suggestion, above, actually avoids the root shell.
It enables auditing/filtering by returning a list of matching filenames before
any privileged action is taken.

There are better ways to delete, sure. You could call unlink() directly to
save process spawns, or just move files to the user's Trash, to name two
alternatives.



And a malicious user could create a file named "-rf .." in the target
directory.  Using your suggestion, that would turn into a privileged
execution of the command "rm -rf .." -- not as bad as the dreaded "rm
-rf /", but still quite destructive.

Actually, this wouldn't work. For the reason above: the API doesn't parse
strings, and neither does "rm"; there is no shell present. If I determine
a filename is "-rf .." (and don't filter this as a problem for some reason),
this would end up as a single argument to "/bin/rm", space included.


Kevin G.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Carbon-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/carbon-dev/email@hidden

This email sent to email@hidden
References: 
 >How to pass parameter including match symbol like "*" to command executed by AuthorizationExecuteWithPrivileges? (From: judiexu <email@hidden>)
 >Re: How to pass parameter including match symbol like "*" to command executed by AuthorizationExecuteWithPrivileges? (From: email@hidden)
 >Re: How to pass parameter including match symbol like "*" to command executed by AuthorizationExecuteWithPrivileges? (From: "Mark Wagner" <email@hidden>)



Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2007 Apple Inc. All rights reserved.