Re: Security patch 2008-005 and scripting additions
Re: Security patch 2008-005 and scripting additions
- Subject: Re: Security patch 2008-005 and scripting additions
- From: "John C. Welch" <email@hidden>
- Date: Sat, 02 Aug 2008 01:54:00 -0400
- Thread-topic: Security patch 2008-005 and scripting additions
On 8/1/08 9:02 AM, "Hamish Sanderson" <email@hidden>
wrote:
>> John DeTroye denied that a regular user could elevate their privs
>> when I
>> asked him about this... so I was worried that Apple was not taking
>> this
>> seriously.
>>
>> I am glad this has been patched.
>
>
> It's a start (and a reminder of the essential evilness of osaxen as an
> extension mechanism).
>
> However, while I'm no security expert, I can't help feeling this is
> only part of a larger concern: as far as I can make out, the main
> problem with the Apple event IPC security model is that there isn't
> one. For example, why should a non-privileged process [without
> additional authentication] be allowed to send *any* Apple events to
> privileged processes in the first place?
>
> Anyone with more security chops care to weigh in?
For the same reason that any unprivileged user process, (Safari) can send
requests, (events) to a privileged process, DirectoryService: Because if it
couldn't without specific user approval, you'd live in a world that makes
Vistas UEP dialogs seem like heaven.
The problem isn't the event passing. On a basic level, that's just
interprocess communication. That has to exist without meat intervention for
stuff to actually be usable.
The problem is *what* the unprivileged process can do. If all I can do
without authentication is tell DirectoryService "Hey, look up this DNS name"
or tell the AFP processes "hey, disconnect me from this server", or
something along those lines, that's not a problem.
It's when I can tell it, sans authentication, "Hey, how about you unbind me
from this directory service, and while you're at it, enable root with the
following password"...then we have a problem. It is the context of the
event, not the ability to send or receive them across privilege levels that
is, or is not a problem.
IPC is inherently risky, because at some level, it has to happen without
authentication or elevation, just to get stuff done in a timely manner.
--
"In no other profession are the penalties for employing untrained personnel
so appalling or so irrevocable as in the military."
- General of the Army Douglas MacArthur
_______________________________________________
Do not post admin requests to the list. They will be ignored.
AppleScript-Users mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
Archives: http://lists.apple.com/archives/applescript-users
This email sent to email@hidden