Re: Running an application owned by a different user
Re: Running an application owned by a different user
- Subject: Re: Running an application owned by a different user
- From: "Finlay Dobbie" <email@hidden>
- Date: Sun, 9 Apr 2006 13:38:57 +0100
On 09/04/06, Paul Forgey <email@hidden> wrote:
> Generally speaking, suid executables are usually a Bad Idea. There
> are very, very few cases where there is no other way to do it, like
> sudo or login. If the target user is privileged your application
> could be abused to gain elevated privileges. Also it won't always
> work of the bundle is hosted on a network or removable drive.
>
> I'd use Authorization Services to become root, then suid to the user
> you want to. I'm not too familiar with the finer points of
> Authorization Services, but I know it can spawn executables as root
> after getting the credentials of a privileged user.
Actually, creating a suid executable is part of the recommended
approach for creating a factored solution with a privileged helper
tool with Authorization Services. The key point is that it's only your
helper tool which needs to provide privileged operations which is
suid, and it should be self-restricting i.e. uses the Authorization
API to determine that the user has valid credentials before performing
any restricted operations.
-- Finlay
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Cocoa-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden