Re: "First Run" installation of Application support stuff?
Re: "First Run" installation of Application support stuff?
- Subject: Re: "First Run" installation of Application support stuff?
- From: "Peter Sichel" <email@hidden>
- Date: Thu, 19 Dec 2002 09:28:21 -0500
>
> Leave them in the app wrapper. The Application Support directory is
>
> for data, not executables.
>
>
Last I heard, users couldn't move/delete application bundles with suid
>
binaries inside them. That was in 10.1, though, has it been fixed?
>
>
-- Finlay
Not exactly. You can move or delete the bundle, but you can't copy it.
In my case, I provide an "Unauthorize Tools..." menu item to restore
the permissions so the bundle can be copied.
The tools in question are part of a network monitoring application
and require root privileges to open ICMP sockets, load an NKE,
manipulate the users network configuration, and run other privileged
tools like tcpdump. Since Mac OS X requires root privileges for
these operations which many home network administrators need or want,
there are few good options:
(1) Use a collection of small SUID root helper apps that are authorized
at "first run installation time". The applets themselves are relatively
safe because they do very little.
(2) Request user authorization each time a privileged operation is
invoked. Conditioning the user to frequently authorize running
applications is a far greater security risk than asking only once
at install time.
(3) Requiring the application itself be run with root privileges.
A bad idea for many reasons.
I've chosen (1) above with simple drag-and-drop install/uninstall.
User response is mostly positive.
- Peter
_______________________________________________
cocoa-dev mailing list | email@hidden
Help/Unsubscribe/Archives:
http://www.lists.apple.com/mailman/listinfo/cocoa-dev
Do not post admin requests to the list. They will be ignored.