Re: setuid to root App cannot compile NSAppleScript
Re: setuid to root App cannot compile NSAppleScript
- Subject: Re: setuid to root App cannot compile NSAppleScript
- From: OL&L Dev 2 <email@hidden>
- Date: Thu, 11 Dec 2003 19:51:59 -0800
Dave is correct. You absolutely do not want *any* user-level app
running as root. Doing so is a massive and serious security risk.
Consider this hypothetical scenario:
1) You release your product, app runs as root. 2) Hacker spelunks
Darwin, replaces some code or part of System.framework or
Cocoa.framework with his own, malicious versions of that code. 3)
Since the framework part of Cocoa apps resides in the system and gets
sucked in at runtime, that hacker's malicious 'replacement' version
of part of the framework now gets sucked into your app. 4) That
hacker's malicious code now has root access to the entire system
because your app is running as root. 5) Hacker's code wreaks havoc on
the machine because it has free reign because it is now running as
root thanks to your application acting as a root-privileged host for
it.
In short, never run you app as root.
There is nothing so big or complex that it cannot be put into the
helper tool. Write the helper tool in straight C, pass in the
authorization from the parent app as Dave mentioned, and immediately
on entry destroy any potential nastiness from its parent process
thusly:
authorization = MoreSecHelperToolCopyAuthRef();
error = MoreSecDestroyInheritedEnvironment(kMoreSecKeepStandardFilesMask,argv);
Next, call the helper tool's 'work' code with MoreSecHelperToolMain.
Inside the work code, bracket the privileged work with calls to
MoreSecSetPrivilegedEUID and MoreSecTemporarilySetNonPrivilegedEUID.
This section of the cdoe should be kept as short as possible. Enter
privileged mode, execute, then exit privileged mode as fast as
possible.
As long as you let your privileged code rip only inside of those
bracketed calls, your app will be secure from most hacking.
This is vastly better than opening the entire machine up to potential
mischief. It's a lot of work, but well worth it. There simply is no
other way to make a user-level process secure from hacking.
James
At 1:33 PM -0800 12/11/03, Dave Camp wrote:
>
Ooops. I accidentally hit Send prematurely on that last email...
>
>
On Dec 11, 2003, at 9:12 AM, Lorenzo wrote:
>
>
>Hi,
>
>thank you for the prompt reply.
>
>I don't have to use the AS to copy the file. I have to use the AS to close
>
>all the open applications. Then my tool will copy the file, and restore the
>
>ownership and privileges.
>
>
>
>The problem is that my tool is so big and complex that is has to run as root
>
>at all. It cannot launch a smaller sub-process.
>
>
Can you explain what your tool does that it's so big an complex that
>
it _has_ to be root? Root processes are a rarity. Running something
>
as root has security consequences that need to be taken into account.
>
>
This may sound rude, but it's not meant to be that way... Anyone
>
writing a program that is large and complex and has a legitimate
>
need to always be root (like a daemon process) should have a
>
thorough knowledge of UNIX security, and I certainly wouldn't expect
>
it to stop processes with an AppleScript.
>
>
If we knew why your app needed needed root privileges, maybe we
>
could suggest alternative means of solving your problems that would
>
simplify your code and make it more safe.
>
>
>So the user authenticate himself as root then I set seteuid = 0 to the tool,
>
>and quit and relaunch the tool. So starting from the next time the tool
>
>works as root all the time.
>
>
>
>So my problem is the opposite. How to launch a no-root sub-process from a
>
>root process?
>
>
man setgid.
>
>
Dave
>
_______________________________________________
>
cocoa-dev mailing list | email@hidden
>
Help/Unsubscribe/Archives:
>
http://www.lists.apple.com/mailman/listinfo/cocoa-dev
>
Do not post admin requests to the list. They will be ignored.
_______________________________________________
cocoa-dev mailing list | email@hidden
Help/Unsubscribe/Archives:
http://www.lists.apple.com/mailman/listinfo/cocoa-dev
Do not post admin requests to the list. They will be ignored.