Re: State of performing tasks with elevated privileges
Re: State of performing tasks with elevated privileges
- Subject: Re: State of performing tasks with elevated privileges
- From: Nick Zitzmann <email@hidden>
- Date: Wed, 11 Mar 2009 13:22:34 -0600
On Mar 11, 2009, at 12:52 PM, Sidney San Martín wrote:
"You may be tempted to use the function
AuthorizationExecuteWithPrivileges to perform privileged operations
rather than creating and calling your own setuid tool. Although this
might seem like an easy solution, using the
AuthorizationExecuteWithPrivileges function without the rest of the
Authorization Services functions produces a severe security hole
because the function indiscriminately runs any tool as the root
user. Setuid tools also have security risks, but they are far less
severe than using the function AuthorizationExecuteWithPrivileges
for purposes other than those described in this document. Read
“Factored Applications” for instructions on creating your own helper
tool."
I don't completely follow that warning. If I have a factored helper
tool, is it important for it to be setuid root?
What it's saying is AEWP() will run pretty much anything you tell it
to run. That is not always a good thing, because the secure tool can
be swapped by some malware, which would cause AEWP() to run the wrong
tool. This is one of the few cases where running a tool as setuid root
actually makes sense, since the tool can't be swiped without
permission. There used to be problems with this, but they were
resolved a long time ago.
Of course, that requires someone to write malware that intentionally
targets your app. And in the eight year history of Mac OS X (nine
years if you count Rhapsody), no one has written a single virus, and
trojan and rootkit attacks have been extremely rare. So the chances of
this happening in the first place are very, very low, unless something
stupendous happens (e.g. Apple picks up your app for OEM distribution).
Of course, if you're just going to use AEWP() to run something once
in /usr/bin or some other place that has strict write permissions,
then this doesn't matter.
What, even, is the advantage of using the complex libraries
contained in MoreSecurity and BetterAuthorizationSample. Do people
not use them in the real world?
In the real world, people care about feeling secure, but no one cares
about actually being secure until they get compromised, because actual
security means sacrificing convenience. Mac OS 8 had a CD auto-play
feature (ripped from Windows) that ended up being taken out of the OS
after the only software that used it was a worm.
Nick Zitzmann
<http://www.chronosnet.com/>
_______________________________________________
Cocoa-dev mailing list (email@hidden)
Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden