Re: Authorization without permanent setuid on helper
Re: Authorization without permanent setuid on helper
- Subject: Re: Authorization without permanent setuid on helper
- From: Alan Somers <email@hidden>
- Date: Thu, 20 Jan 2005 07:13:13 -0600
On Jan 20, 2005, at 5:57 AM, Bob Ippolito wrote:
On Jan 20, 2005, at 6:43 AM, Finlay Dobbie wrote:
On Thu, 20 Jan 2005 04:51:34 -0500, Bob Ippolito <email@hidden>
wrote:
I would have to say that this method sounds MORE secure than using
setuid, because you actually need to authenticate every time. Using
setuid is for convenience. Once the helper is setuid, it no longer
requires authorization to run as uid 0. If you don't want the helper
tool to be "pre-authorized", then you shouldn't setuid it.
Actually, AuthorizationExecuteWIthPrivileges() is considered a
potential security hole, so having a self-restricted setuid tool is
regarded as more secure.
Yes, that's true. You need to be certain that the tool you are asking
it to execute is what you want it to be:
"This function poses a security concern because it will
indiscriminately run any tool or application, severely increasing the
security risk."
Yes, but with the tool running itself, it would seem to me to be
impossible to introduce such a scenario (running any tool as root) if
the argv[0] value is used for the relaunch.
As for a self-restricted setuid tool being more secure, it seems to me
that the MoreAuthSample falls down in that regard due to the User's
Application Support folder having user write permissions, thereby
allowing even a setuid tool to be deleted without root access and
substituted with a malicious one, which would then be authorized on the
next run.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Cocoa-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden