How to exec a subtool as root
How to exec a subtool as root
- Subject: How to exec a subtool as root
- From: ryan <email@hidden>
- Date: Sun, 19 Jan 2003 23:13:19 -0800
Hello,
I have been thinking about the security model in Mac OS X and how to use the
security framework to execute privileged commands.
The documentation states that the use of
'AuthorizationExecuteWithPrivileges' should be limited to having a small
tool self-exec to cause it to become setuid root. After that point anytime
someone calls that small tool it runs as user root. This seems like a
fairly big security hole to me. Once you set a small tool setuid root, then
someone could run it and do a buffer overflow, or some such naughty thing,
and gain root access potentially.
One approach is to have the small sub-tool use
'AuthorizationExecuteWithPrivileges' to execute itself as root to accomplish
the root task. That is, the main App would fork/exec a subtool in the
Resources dir of the main bundle, then that tool would take the
AuthorizationRef on stdin and use it to self-exec itself as root using the
aforementioned API call. That way you avoid setuid root binaries, and you
avoid having the entire App run as root.
I think a potential ultimate solution is to have your top level main() for
your Cocoa/Carbon application take a hidden parameter which tells it that
its time to read the AuthRef on stdin and do the privileged commands. That
way an App can self-exec itself, not have to worry about anyone replacing
the subtool in the bundle, and still accomplish root tasks without naughty
setuid root binaries.
The one last problem with the ultimate solution is someone could remove the
mach-o binary while its running and replace it with a subverted one. So by
the time you self-exec as root then you would be running an attacker's
binary.
The problem with the sub-tool solution is someone could replace it with a
subverted binary and it could request root access and it would look like the
request came from your application (since the Security system stops at the
.app level when presenting to the user who is requesting root privileges)
and your app could potentially get blamed for something that isn't its own
fault.
Does anyone have any suggestions to solve this problem solidly?
I know these attacks seem very oblique and bizarre, but weirder things have
occurred, and I wouldn't want to subject my users to an installer with
security holes.
While researching this problem, I noticed that according to the AuthSample
from Apple's site, there was a hidden API:
- The argv array is followed by the envp array which is followed by the true
path to the app as passed in to exec() by the parent.
Can someone point me to some documentation about this?
Thanks,
-ryan
_______________________________________________
cocoa-dev mailing list | email@hidden
Help/Unsubscribe/Archives:
http://www.lists.apple.com/mailman/listinfo/cocoa-dev
Do not post admin requests to the list. They will be ignored.