Re: Security framework refuses to work at all
Re: Security framework refuses to work at all
- Subject: Re: Security framework refuses to work at all
- From: Stéphane Sudre <email@hidden>
- Date: Fri, 25 Oct 2002 15:17:51 +0200
On Friday, October 25, 2002, at 02:58 PM, Finlay Dobbie wrote:
On Friday, October 25, 2002, at 01:40 pm, Stiphane Sudre wrote:
From what I can quickly read in this documentation (which is buggy as
the link:
http://developer.apple.com/techpubs/macosx/CoreTechnologies/
securityservices/authservices.html does not exist), I don't see
anything done that is strictly not recommended by the documentation.
Some privileged operations require special permissions. For example,
an application that restarts the Internet daemon must have root
privileges. There are three possible ways to perform this operation,
all with their own problems:
� Make the application run as root by calling itself with a special
Authorization Services function.
mv is not my application.
� Set the setuid bit of the application and change its owner to root
and use the special Authorization Services function.
I'm not going to setuid 'mv' to do this.
� Factor out the operation that performs the privileged operation and
put it in a separate setuid tool�a tool that has its setuid bit
set�and set the setuid tool's owner to root.
Don't see the interest of that for 'mv'.
Both the first and second options are a security breach waiting to
happen.
Sure.
[...]The third scenario is by far the best. The application is split
into an application that controls all of the graphical user interface
elements and nonprivileged operations, and a helper tool that performs
only the operations involved in restarting the Internet daemon. The
helper tool's setuid bit is set and the owner is set to root. The
proper Authorization Services functions are used as described
previously. Factoring and setting the setuid bit not only minimizes
the risk but also makes it easier to audit your code for security
holes.
This is the 12 years scenario. With a setuid bit...
[...]
Special Considerations
You should use this function only to allow installers to run as root
and to allow a setuid tool to repair its setuid bit if lost. This
function works only if the Security Server establishes proper
authorization.
This function poses a security concern because it will
indiscriminately run any tool or application, severely increasing the
security risk.
This is the line I don't agree with. It will not run any tool, it will
run the tool I set in the path as stated by the documentation:
"This function enables you to execute the tool you specify in the
pathToTool parameter as a separate, privileged process."
_______________________________________________
cocoa-dev mailing list | email@hidden
Help/Unsubscribe/Archives:
http://www.lists.apple.com/mailman/listinfo/cocoa-dev
Do not post admin requests to the list. They will be ignored.