• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Using DO to talk to a process running as root
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Using DO to talk to a process running as root

  • Subject: Re: Using DO to talk to a process running as root
  • From: James Bucanek <email@hidden>
  • Date: Sat, 18 Jun 2005 09:20:20 -0700
email@hidden wrote on Saturday, June 18, 2005:

>> Will I have a similar problem?  My plan was to launch a setuid
>> tool, have it authorize itself and switch to root, then open up an
>> NSConnection using connectionWithRegisteredName:.
>
>I'm not sure off hand, but I think it's worth trying - I don't think
>running a setuid binary changes the mach namespace (although a new
>SSH session, for example, definitely will... thus my uncertainty -
>see the "DO behavior depends on server launch" thread earlier on this
>list).

I read that thread, but I wasn't sure it was because init and user applications lived in different kernel "worlds," or because they were running as different users.  I didn't get any immediate, negative, feedback so I went ahead with my plans to use DO between my client and helper tool.  I should know in about an hour or two if it's working.

>In any case, however, the official line is that you shouldn't be
>using D.O. in anything running as root, for security reasons.  Not
>D.O. specifically, in fact, but any "high" framework like Foundation
>or AppKit.  There's a very real danger stemming from Foundation's
>"laziness" when it comes to things like memory management and data
>storage, which could lead to various exploits.  Theoretically.  I'm
>not aware of any real investigation in this area.  Personally I'd
>live dangerously and go ahead with it. :)

That's distressing.  I understand (in broad terms) why high level applications shouldn't run as root, but I hadn't heard that one shouldn't use DO to communicate with a server or daemon running as root.  The communications between my application and helper are *extremely* complex, and without DO I might as well just scrap my project and look for another job.

Do you have some other information on this?

Personally, I can't see any difference between using DO and opening up a message port and pumping in my own commands using my own protocol.  In theory, the would be attacker still couldn't put anything in that port that the helper didn't understand or was set up to do via the interface object that it vends.  And DO probably helps in protecting me against buffer overflow and similar attacks.

--
James Bucanek <mailto:email@hidden>
 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Cocoa-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
References: 
 >Re: Using DO to talk to a process running as root (From: email@hidden)

  • Prev by Date: Re: question about selector as argument
  • Next by Date: Re: Core Data right for my project?
  • Previous by thread: Re: Using DO to talk to a process running as root
  • Next by thread: install app missing??
  • Index(es):
    • Date
    • Thread