• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Authorization without permanent setuid on helper
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Authorization without permanent setuid on helper

  • Subject: Re: Authorization without permanent setuid on helper
  • From: OL&L Lists <email@hidden>
  • Date: Thu, 20 Jan 2005 14:39:09 -0800
At 7:13 AM -0600 1/20/05, Alan Somers wrote: 
On Jan 20, 2005, at 5:57 AM, Bob Ippolito wrote:

On Jan 20, 2005, at 6:43 AM, Finlay Dobbie wrote:

On Thu, 20 Jan 2005 04:51:34 -0500, Bob Ippolito <email@hidden> wrote: 
I would have to say that this method sounds MORE secure than using
setuid, because you actually need to authenticate every time. Using
setuid is for convenience. Once the helper is setuid, it no longer
requires authorization to run as uid 0. If you don't want the helper
tool to be "pre-authorized", then you shouldn't setuid it.

Actually, AuthorizationExecuteWIthPrivileges() is considered a
potential security hole, so having a self-restricted setuid tool is
regarded as more secure.

Yes, that's true. You need to be certain that the tool you are asking it to execute is what you want it to be:

"This function poses a security concern because it will indiscriminately run any tool or application, severely increasing the security risk."

Yes, but with the tool running itself, it would seem to me to be impossible to introduce such a scenario (running any tool as root) if the argv[0] value is used for the relaunch.

As for a self-restricted setuid tool being more secure, it seems to me that the MoreAuthSample falls down in that regard due to the User's Application Support folder having user write permissions, thereby allowing even a setuid tool to be deleted without root access and substituted with a malicious one, which would then be authorized on the next run.

Which cannot happen if you follow Apple's recommended method - using MIB and a template tool to compare any tool against that is to be run.

Michael
Orbital Launch & Lift, Inc.
http://www.orbitallaunch.com
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Cocoa-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden






References: 


 >Re: Authorization without permanent setuid on helper (From: Bob Ippolito <email@hidden>)


 >Re: Authorization without permanent setuid on helper (From: Finlay Dobbie <email@hidden>)


 >Re: Authorization without permanent setuid on helper (From: Bob Ippolito <email@hidden>)


 >Re: Authorization without permanent setuid on helper (From: Alan Somers <email@hidden>)






    

  • Prev by Date:
Re: Authorization without permanent setuid on helper

    • 

  • Next by Date:
Re: Authorization without permanent setuid on helper

    • 

  • Previous by thread:
Re: Authorization without permanent setuid on helper

    • 

  • Next by thread:
Re: Authorization without permanent setuid on helper

    • 

  • Index(es):

      

    • Date
      • 

    • Thread
      • 

    

    •