Re: Authorization without permanent setuid on helper
Re: Authorization without permanent setuid on helper
- Subject: Re: Authorization without permanent setuid on helper
- From: OL&L Lists <email@hidden>
- Date: Fri, 21 Jan 2005 18:09:53 -0800
Title: Re: Authorization without permanent setuid on
helper
At 4:41 PM -0800 1/21/05, John Davidorff Pell wrote:
On 20 Jan 2005, at 14:34, OL&L Lists
wrote:
At 4:51 AM -0500 1/20/05, Bob Ippolito
wrote:
On Jan 19, 2005, at 5:49 PM,
email@hidden wrote:
Are there any security repercussions with
always "double running" a helper tool instead of setuid'ing
its file on the first run? By "double running" I mean
running it from the main app, having it authorize, and then having it
run itself as setuid (essentially following AuthSample but skipping
the ownership and permission changes on the file).
I know that it'll incur the overhead of an extra process every time,
but for the purpose I have in mind, efficiency is not an issue and it
would make the app more mobile (without leaving Application Support
garbage behind, as MoreAuthSample's approach would do).
I would have to say that this method
sounds MORE secure than using setuid, because you actually need to
authenticate every time. Using setuid is for convenience. Once the
helper is setuid, it no longer requires authorization to run as uid 0.
If you don't want the helper tool to be "pre-authorized",
then you shouldn't setuid it.
-bob
Except that there are times when you do not want to annoy the user
with an authorization dialog - for example when performing a
privileged operation such as setting network preferences via some kind
of login/logout session scenario. In that case you want to use the
MoreAuthSample way so that the user isn't constantly annoyed with
authorization dialogs. Also, when using MIB to run your tool I think
it automatically uses setuid to make sure the tool is running as
root.
-m
I very much do not like this. Personally, I would prefer to be
prompted every time that a root operation is performed. I go out of my
way to remove setuid binaries from my system. I think they are
inappropriate. If a user should be allowed to perform an operation,
then they should have permission to do so. They should not circumvent
the permissions model by using a setuid binary.
Then again, I'm a bit more informed about this sort of thing than the
average mac user. :-/
JP
In that case you are going against everything Apple recommends
doing with regards to performing privileged operations.
Removing setuid binaries from one's system can break software
that requires those components.
I am quite sure the Apple people who wrote the OS have thought
about this more than you have. If they hadn't they would have hired
you to write that part of the OS for them.
You should also read the Apple document Performing Privileged
Operations with Authorization Services which explains the MacOS X
security model and the need for setuid helper tools.
How is running an entire app authorized as root more secure then
running a tiny one-shot code fragment that enters and then exits root
mode momentarily?
The purpose of setuid binaries is not for the user to run them
directly, but for some other software such as an app or installer to
run them - the idea being to isolate root-enabled code to the smallest
possible code fragment and also isolate that code to the shortest
possible run times.
As Apple's document explains, the BSD permission model does not
satisfy OS X's needs. That is why OS X uses a hybrid of the BSD and
Apple's own model. It's more secure to follow the method the
manufacturer of the OS recommends than to use your own methods based
on incorrect knowledge.
Michael
Orbital Launch & Lift, Inc.
http://www.orbitallaunch.com
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Cocoa-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden