Re: Security opinion needed
Re: Security opinion needed
- Subject: Re: Security opinion needed
- From: Douglas Davidson <email@hidden>
- Date: Mon, 5 Jan 2004 10:55:50 -0800
On Jan 4, 2004, at 10:21 AM, Michael Latta wrote:
While the use of Cocoa or Carbon in a setuid app are verboten, what
about Foundation and Objective-C code? Some of the Objective-C
runtime issues could be a problem with any dynamic code (poseAs for
example). But without dynamic code loading would use of NSFile,
NSDIctionary, and application specific code be considered a problem?
The reason that setuid is problematic is that the attacker has such
broad control over the execution of the privileged code--arguments,
environment, working directory, you name it, the attacker gets to
control it. Ideally setuid code should be as simple as possible and
use as little as possible; when you start linking against complex
frameworks, you have no control over what they do as far as usage of
environment variables, arguments, and so on, over and beyond what you
explicitly pass in to them. While I do not know of any exploitable
issues in Foundation--and I have inspected the code looking for them--I
cannot guarantee that they are not there, and I certainly cannot speak
to most of the other frameworks that Foundation uses.
What I would recommend in general terms is that your setuid code do as
little as possible. Perhaps non-privileged code can create the file,
and the setuid tool only move it into place, when authorized to do so;
or setuid code could open it and pass a handle to something else; I am
sure there are other possibilities.
Douglas Davidson
_______________________________________________
cocoa-dev mailing list | email@hidden
Help/Unsubscribe/Archives:
http://www.lists.apple.com/mailman/listinfo/cocoa-dev
Do not post admin requests to the list. They will be ignored.