• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Helper tool, root and MoreAuthSample?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Helper tool, root and MoreAuthSample?

  • Subject: Re: Helper tool, root and MoreAuthSample?
  • From: James Bucanek <email@hidden>
  • Date: Wed, 12 Jul 2006 08:05:17 -0700
Fredrik Olsson wrote on Wednesday, July 12, 2006:
>Is there any good reason why I should not do as it is done in TunnelBlick 3?
>There chown and chmod are run with AuthorizationExecuteWithPrivileges to
>fix the helper tool from the main UI app.

That would probably be OK, but not optimal. The take-away lesson from MoreAuthSample (which I personally find confusing, obtuse, and not very well designed) is that you should never authorize your Cocoa application to run as root. Instead, you authorize and run a separate non-Cocoa/non-GUI helper tool to run as root and get the work done. This avoids simple hacks that could compromise your Cocoa application (think Input Manager plug-ins) and it isolates your sensitive code in its own process space.

The other thing you want to avoid is having your Cocoa app become the unwitting dupe that installs malware for a hacker. The security risk of using chmod instead of having a self-installing helper is that it is much easier for a malicious user to substitute *any* executable for the helper that your Cocoa app is installing. The self-installing helper is much more complicated because whatever executable is going to be installed has to correctly communicate with your GUI application and do the work itself. The self-installing helper that I wrote actually has a build-number handshake that occurs before the installation is performed. This would make is very difficult for someone to simply replace your non-privleged helper with, say, a shell program that a hacker could later launch for unfettered access to the entire system. Alternative security schemes would be to checksum or encode the source copy of the executable in some way that would make it difficult to replace.

And remember that the whole SUID thing is just so the user only has to authorize once. Once installed, the helper is "pre-authorized" to do its thing in the future without getting a fresh authorization. If you don't mind bothering the user for authorization every time you need to perform some privileged action, or if it makes more sense to authorize each time, then save yourself a lot of grief and skip the self-installing-SUID-helper flog.

--
James Bucanek
 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Cocoa-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
References: 
 >Re: Helper tool, root and MoreAuthSample? (From: Fredrik Olsson <email@hidden>)

  • Prev by Date: pathForResource:ofType: failes under panther.
  • Next by Date: Re: crash in [NSAnimation _stopAnimation:]
  • Previous by thread: Re: Helper tool, root and MoreAuthSample?
  • Next by thread: DNS lookup for SMB
  • Index(es):
    • Date
    • Thread