• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Authorization - Perl as helper tool vs. SUID
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Authorization - Perl as helper tool vs. SUID

  • Subject: Authorization - Perl as helper tool vs. SUID
  • From: Sherm Pendley <email@hidden>
  • Date: Mon, 10 Jan 2005 16:05:45 -0500
Here's the scenario: Perl is a traditional system admin's tool, and such tools often need to run with root permissions, so I'm writing a Perl wrapper around the functions in Authorization.h. That would allow the helper tool in a factored app to be written in Perl, and with CamelBones the parent app could be as well. It's just a handful of functions and a couple simple structs, so writing the wrapper is turning out to be quite simple.

Here's what's not so simple: Perl won't run a SUID script. It complains that the Darwin kernel doesn't have secure suid for scripts. I'm assuming that it's a valid complaint; even if it's not, the stock Perl thinks it is, so it's a moot point.

The workaround suggested in Perl's security docs is to write a simple C wrapper that does nothing but call the Perl script, and make that SUID instead of the script. But that's clunky, and I'm unsure of the purpose of making the helper tool SUID anyway. As far as I can tell, it's a matter of convenience - if the tool is running SUID, the user won't have to authorize every time he runs it.

So what I'm thinking of is this: The parent app would be the same as always, pre-authorizing and calling the helper tool with NSTask, execve() or whatever. The helper tool, on the other hand, would be slightly different - it would check that it's owned by root and read-only by everyone else, and if so run itself with elevated privileges. When run with elevated privileges, it wouldn't "self-repair"; instead, it would simply do whatever task it was made for.

Anyone care to comment on that approach?

sherm--

Cocoa programming in Perl: http://camelbones.sourceforge.net
Hire me! My resume: http://www.dot-app.org

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Cocoa-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden




  • Follow-Ups:

      

    • Re: Authorization - Perl as helper tool vs. SUID

      • From: Nick Zitzmann <email@hidden>
      • 



    

  • Prev by Date:
Re: I don't know where to ask...

    • 

  • Next by Date:
Re: I don't know where to ask...

    • 

  • Previous by thread:
Re: I don't know where to ask...

    • 

  • Next by thread:
Re: Authorization - Perl as helper tool vs. SUID

    • 

  • Index(es):

      

    • Date
      • 

    • Thread
      • 

    

    •