Re: Allow only root/admin users to execute the cocoa app
Re: Allow only root/admin users to execute the cocoa app
- Subject: Re: Allow only root/admin users to execute the cocoa app
- From: Gwynne Raskind <email@hidden>
- Date: Mon, 25 Jan 2010 02:09:11 -0500
On Jan 25, 2010, at 1:47 AM, vincent habchi wrote:
>>> I want to allow my cocoa app to be only launched by root/admin users.
>>> How can i achieve this?
>> As I think has already been mentioned, the UNIX approach is to set the application's owner as root and then make it only executable by the owner. However, Apple largely discourages programmers from developing Cocoa apps that will be run with root privileges.
> I know that, but, up to this point, I have failed to find any reasonable reason ;) that could justify this point of view, especially since it is always possible to drop root privileges at whatever point, just like postfix or named do. I don't see why being root is permissible for CLI apps and not for GUI ones.
Because that's what the security model of OS X is built around. First and foremost, CLI programs have a much smaller attack surface than GUI apps, since they link to much less code and interact with much less of the system.
Secondly, separating your root code into another process limits the possible exploits, and the possible accidents, by quite a bit. You have less code to secure against privilege escalation attacks.
Thirdly, to my knowledge, AppKit assumes itself to be running as the user logged into the window server session it connected with at startup; having an euid of root might well cause several bits of Cocoa to behave wierdly or completely fail.
Fourthly, as Clark mentioned, code can be injected into running processes in a Mach system, which makes dropping privileges with seteuid(getuid()) completely useless - the injected code can just seteuid(0) and get root back from the saved-set-user-ID. And if you drop them with setuid(getuid()), you've lost access to the root privileges you wanted anyway, assuming an injected attack vector doesn't run before you make the call anyway.
Finally, in general it's good practice on any system (be it OS X, Windows, or any UNIX flavor) to run with as few privileges as you need at any given time. Security conscious users and the paranoid like myself are liable to kill a process that's running as root without a visible reason, most especially a GUI process doing so.
What exactly are you trying to do that requires running as root? You can verify that a user has an admin account with Authorization Services at startup, then use the same APIs to run a tool to do your root work as necessary. As Todd pointed out, Apple provides a very complete set of code for doing this in BetterAuthorizationSample.
-- Gwynne
_______________________________________________
Cocoa-dev mailing list (email@hidden)
Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden