Re: Delete myDriver.kext files from normal user.
Re: Delete myDriver.kext files from normal user.
- Subject: Re: Delete myDriver.kext files from normal user.
- From: "Michael Ash" <email@hidden>
- Date: Fri, 17 Oct 2008 21:42:54 -0400
On Fri, Oct 17, 2008 at 8:55 PM, Jonathon Kuo
<email@hidden> wrote:
>
> On Oct 17, 2008, at 5:33 PM, Michael Ash wrote:
>
>> And most important of all (I think), it almost always opens a security
>> hole.
>>
>> This case is a great example. The system() call as posted uses "rm" as
>> the command. This in turn relies on the $PATH to hand over the correct
>> rm. It is probably feasible, maybe not even very hard, to ensure that
>> this person's application gets launched with a custom-crafted $PATH.
>> Make the first entry in $PATH be a special directory containing an
>> executable script called "rm" that spawns a root shell and makes it
>> listen on a certain TCP port and, bam, you've just been compromised.
>
>> Certainly there are a lot of ways to write security vulnerabilities.
>> But most of the time they happen because you make a mistake. System()
>> is insecure *by default*, and takes special effort and attention to
>> make it not be insecure. Much better is to simply not use it in the
>> first place, as no good can possibly come of it.
>
> If the coder doesn't take care to use fully qualified pathnames like
> /bin/rm, etc., then it opens the door to security issues. That's not an
> inherent problem with system(), per se, but the coder. Wouldn't
> fork()/exec() and NSTask also suffer from this same issue?
Actually, I'm pretty sure NSTask does not respect $PATH. The
documentation doesn't say, but I'm pretty sure it doesn't, since it
has no reason to.
Fork()/exec() will only use $PATH if you use the "p" variants of the
functions. And as the doctor said to his patient, "well, don't do
that". The non-p variants will not examine $PATH at all.
It is trivial to write code using NSTask or fork()/exec() that can
safely call rm to delete a file. It's foolish to do for non-security
reasons, but the code will at least be *safe*. Doing the same with
system() takes much more attention, especially if anything you're
doing requires variable arguments.
The problems with system() are all rooted in the fact that it
interprets the command using a shell. Searching $PATH, variable
expansion, and special characters can all sink you. Using an API which
doesn't use a shell gets rid of the latter two, and using an API which
also doesn't search $PATH gets rid of all three. There are certainly
other ways to write insecure code, but at least you won't be using a
call which is insecure by default.
Mike
_______________________________________________
Cocoa-dev mailing list (email@hidden)
Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden