Re: Authorization without permanent setuid on helper
Re: Authorization without permanent setuid on helper
- Subject: Re: Authorization without permanent setuid on helper
- From: Dave Rehring <email@hidden>
- Date: Fri, 21 Jan 2005 17:28:45 -0800
On 1/21/05 3:34 PM, M. Uli Kusterer at email@hidden wrote:
> At 15:22 Uhr +0000 21.01.2005, email@hidden wrote:
>> Unless the user (even an admin user) knows what he/she is
>> authorizing (a malicious helper will appear no different than the
>> original when authorizing), he/she could unwittingly authorize some
>> nasty things to happen. I hope I'm just misunderstanding how things
>> work that that somebody can provide the one bit of information that
>> clears it up for me.
>
> Well, you need Admin privileges to edit an application in
> /Applications, so as long as you put all apps that need to be
> authorized in there, only another admin could introduce malicious
> code. And non-admin users can only edit their own (non-admin) files,
> so they can't really mess with another app, much less with one
> installed by an admin.
This 'safety' [of needing to be admin to screw around in /Applications] can
easily be disabled if the permissions of the files within an application's
package are set incorrectly. It's up to the developer to make sure the
permissions are such to prevent non-admin's from altering files when the
application is installed...
Later,
--
David Rehring Psychos do not explode when light hits
VP of Research and Development them, no matter how crazy they are...
Atimi Software, Inc.
www.atimi.com And totally insane guy!
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Cocoa-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden