Re: Using the security framework
Re: Using the security framework
- Subject: Re: Using the security framework
- From: Kyle Sluder <email@hidden>
- Date: Sun, 25 Jan 2009 03:19:31 -0500
On Sat, Jan 24, 2009 at 9:29 PM, Michael Ash <email@hidden> wrote:
> I'm afraid I don't understand this advice. Could you explain what sort
> of vulnerability would exist in a custom install tool that would not
> exist when using Installer.app to install a custom package?
It's vulnerable to a timing flaw. In order to securely install a
helper tool, the installation process must run as root. In order to
securely install an installer that runs as root, the installer
installer must run as root. In order to...
Installer.app solves this problem because it's preconfigured to be
secure. You can invoke it to do the privileged installation for you
without opening yourself up to the possibility that in between copying
the file and its later invocation that its contents have been changed.
--Kyle Sluder
_______________________________________________
Cocoa-dev mailing list (email@hidden)
Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden