• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Authorization without permanent setuid on helper
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Authorization without permanent setuid on helper

  • Subject: Re: Authorization without permanent setuid on helper
  • From: "M. Uli Kusterer" <email@hidden>
  • Date: Sat, 22 Jan 2005 00:34:23 +0100
At 15:22 Uhr +0000 21.01.2005, email@hidden wrote:
Unless the user (even an admin user) knows what he/she is authorizing (a malicious helper will appear no different than the original when authorizing), he/she could unwittingly authorize some nasty things to happen. I hope I'm just misunderstanding how things work that that somebody can provide the one bit of information that clears it up for me.

Well, you need Admin privileges to edit an application in /Applications, so as long as you put all apps that need to be authorized in there, only another admin could introduce malicious code. And non-admin users can only edit their own (non-admin) files, so they can't really mess with another app, much less with one installed by an admin.

> Users can use the keychain to authorize my helper once without the
hassle of having to re-enter the password every time.

How does this work in practice? How do you get Authorization Services to check the Keychain first before prompting the user for a password?

You just check a "remember password in keychain" checkbox, IIRC. Or am I mixing up something there?

 > That will even ask them to re-authorize when the app is modified.
 > Sounds safer to me.

Does this mean that the modification times on all of the folders in the app bundle are checked? If so, that would take care of the malicious template substitution problem.

Well, at least it works that way for the keychain. An app that wants passwords from the keychain needs to be re-authorized after every update.
--
Cheers,
M. Uli Kusterer
------------------------------------------------------------
"The Witnesses of TeachText are everywhere..."
http://www.zathras.de
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Cocoa-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Follow-Ups:
    • Re: Authorization without permanent setuid on helper
      • From: Dave Rehring <email@hidden>
  • Prev by Date: Re: Pictures as characters
  • Next by Date: Re: Authorization without permanent setuid on helper
  • Previous by thread: Re: Authorization without permanent setuid on helper
  • Next by thread: Re: Authorization without permanent setuid on helper
  • Index(es):
    • Date
    • Thread