On May 21, 2008, at 06:12 AM, Michael Smith wrote:
Knowing the UID of the process on the other end of a socket does
not protect you against "hacker software trying to emulate the
requests", as said "hacker software" will probably be running with
the same UID as your legitimate clients.
You're absolutely right about this - I should have stated this
clearer - the main protection here is not to allow let's say user A
to impersonate user B. I.e let's say I store some per-user info for
logged in users - it's more or less safe to give correct info to
anyone who has correct uid, but it's absolutely not ok to give it to
user with another uid. That's the idea.
And unfortunately CS is not an option as Tiger should be supported.
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden