• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Running an application owned by a different user
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Running an application owned by a different user


  • Subject: Re: Running an application owned by a different user
  • From: "Finlay Dobbie" <email@hidden>
  • Date: Sun, 9 Apr 2006 13:38:57 +0100

On 09/04/06, Paul Forgey <email@hidden> wrote:
> Generally speaking, suid executables are usually a Bad Idea.  There
> are very, very few cases where there is no other way to do it, like
> sudo or login.  If the target user is privileged your application
> could be abused to gain elevated privileges.  Also it won't always
> work of the bundle is hosted on a network or removable drive.
>
> I'd use Authorization Services to become root, then suid to the user
> you want to.  I'm not too familiar with the finer points of
> Authorization Services, but I know it can spawn executables as root
> after getting the credentials of a privileged user.

Actually, creating a suid executable is part of the recommended
approach for creating a factored solution with a privileged helper
tool with Authorization Services. The key point is that it's only your
helper tool which needs to provide privileged operations which is
suid, and it should be self-restricting i.e. uses the Authorization
API to determine that the user has valid credentials before performing
any restricted operations.

 -- Finlay
 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Cocoa-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden

References: 
 >Re: Running an application owned by a different user (From: Greg Herlihy <email@hidden>)
 >Re: Running an application owned by a different user (From: Paul Forgey <email@hidden>)

  • Prev by Date: Re: Running an application owned by a different user
  • Next by Date: Re: Running an application owned by a different user
  • Previous by thread: Re: Running an application owned by a different user
  • Next by thread: Re: Running an application owned by a different user
  • Index(es):
    • Date
    • Thread