Lists

Terms and Conditions
Lists hosted on this site
Email the Postmaster
Tips for posting to public mailing lists

Re: Authorization Question (Possibly a simple POSIX question?)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Authorization Question (Possibly a simple POSIX question?)

Subject: Re: Authorization Question (Possibly a simple POSIX question?)
From: Ken Thomases <email@hidden>
Date: Fri, 21 Aug 2009 02:49:12 -0500

On Aug 21, 2009, at 1:33 AM, Seth Willits wrote:

I'm looking at some code* in an app which uses a helper tool, in order to open and read the contents of a protected file. Normally the user does not have privileges to read this file, hence the authorization. Here's the process it goes through:
App:
	AuthorizationCreate
	AuthorizationCopyRights(my.right, PreAuthorize | ExtendRights)
	AuthorizationMakeExternalForm
	Create a pipe, fork, child does execle(path/to/tool)
	Write the external form of the auth ref to the pipe the tool has open
Tool:
	AuthorizationCreateFromExternalForm
	AuthorizationCopyRights(my.right, ExtendRights)
	descriptor = open(path/to/file, O_RDONLY)
	Send the descriptor back to the app on the pipe
	exit
App:
	Gets the descriptor back from the tool
	fdopen(descriptor)
	... read from the file all it wants ...

First, you should consider replacing all of the above with an invocation of the authopen tool. See its man page and do a full-text search for it in Xcode.

I don't understand how the app allowed to use that file descriptor to read the file's contents. The tool is running as root, so it's obvious that it is able to open the file, but how can another process just start using that descriptor? Is it because it's the parent process? If so: I always thought that only worked the other way around - child processes could use *parent* process descriptors. If NOT, then what is it? The app only preauthorized some arbitrary right, it didn't actually get any privileges to open and read a protected file.

As Dave Keck said, you can pass file descriptors between processes. The second bit of information is that permissions are tested at the time of the open(). Once you have the file descriptor, you can use it without further checks. For example, it's best practice for a privileged tool to drop its privileges after it's used them. So, it might open all files requiring root access privileges, drop root privilege, and then use the opened files. (In this case, the tool exits immediately, so that's not necessary.)

Anyway, this principle applies to the recipient of the file descriptor, too. In this case, it's the parent process, but that's not particularly relevant.

Regards,
Ken

_______________________________________________

Cocoa-dev mailing list (email@hidden)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden


Follow-Ups:

Re: Authorization Question (Possibly a simple POSIX question?)
From: Seth Willits <email@hidden>


References:  
  >Authorization Question (Possibly a simple POSIX question?) (From: Seth Willits <email@hidden>)




Prev by Date:
Re: When to 'release' in Cocoa management?

Next by Date:
Re: When do I need to override hash?

Previous by thread:
Re: Authorization Question (Possibly a simple POSIX question?)

Next by thread:
Re: Authorization Question (Possibly a simple POSIX question?)

Index(es):

Date
Thread