• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Security framework refuses to work at all
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security framework refuses to work at all

  • Subject: Re: Security framework refuses to work at all
  • From: Kelly K <email@hidden>
  • Date: Fri, 25 Oct 2002 14:56:49 -0700
On Friday, October 25, 2002, at 12:41 PM, email@hidden wrote:


On vendredi, octobre 25, 2002, at 08:12 PM, Kelly K wrote:

On Friday, October 25, 2002, at 06:17 AM, Stiphane Sudre wrote:
[...]
Special Considerations

You should use this function only to allow installers to run as root and to allow a setuid tool to repair its setuid bit if lost. This function works only if the Security Server establishes proper authorization.

This function poses a security concern because it will indiscriminately run any tool or application, severely increasing the security risk.

This is the line I don't agree with. It will not run any tool, it will run the tool I set in the path as stated by the documentation:

"This function enables you to execute the tool you specify in the pathToTool parameter as a separate, privileged process."


Yes, until someone replaces the tool you call with my EvilTool [tm patent pending]. AEWP will call any tool, regardless of the privileges set on that tool. So now your app calls my EvilTool with root privileges. While this may not be an issue with mv, or tools with certain permissions sets, it is definitely a problem if permissions allow the tool to be easily replaced.


I might be missing something obvious but I don't see what the difference is between:

- Application A running 'mv' via the Security Framework
- Application A running Application B via Security Framework and Application B running 'mv'

In both cases, your EvilTool is going to run with the root privileges.


There is no difference between your two examples.

All I am trying to point out is that AEWP does not perform any checks to make sure that you are calling the correct tool. That is why the documentation says that AEWP will "indiscriminately run any tool or application". Replacing the tool is one possible security threat, another is replacing the pathname in the AEWP call. Care needs to be taken when using this function to avoid these situations.
_______________________________________________
cocoa-dev mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/cocoa-dev
Do not post admin requests to the list. They will be ignored.
References: 
 >Re: Security framework refuses to work at all (From: email@hidden)

  • Prev by Date: Re: Multi-nib communication
  • Next by Date: Re: Runtime messages
  • Previous by thread: Re: Security framework refuses to work at all
  • Next by thread: Re: Security framework refuses to work at all
  • Index(es):
    • Date
    • Thread