Re: launchd and programmatic access
Re: launchd and programmatic access
- Subject: Re: launchd and programmatic access
- From: Jason Coco <email@hidden>
- Date: Fri, 3 Oct 2008 16:36:11 -0400
On Oct 3, 2008, at 16:26 , Damien Sorresso wrote:
On Oct 3, 2008, at 1:05 PM, Jordan K. Hubbard wrote:
On Oct 3, 2008, at 8:02 PM, Damien Sorresso wrote:
The pref pane includes a setuid helper application that does
proper authorization, etc.
Your privileged operations should be done in your daemon. We
heavily discourage the use of setuid tools, and we're actively
trying to cleanse the system of them.
Just so I understand what you're advocating here... Are you
seriously suggesting that the entire daemon should be privileged
rather than using a privilege-separated helper tool? That seems to
run counter to generally accepted security practices (make
privileged things as small as possible), so I must be mis-parsing
your recommendations here...
He mentioned that his daemon's plist lives in /Library/LaunchDaemons
and that it was a privileged operation to talk to it, and I
mistakenly interpreted that as "My daemon is running as root", which
is not necessarily true.
So no, I'm not advocating that all system-wide daemons run as root;
I mistakenly concluded that his was.
Actually, it is because it needs to bind to a privileged port.
I have another question, tho, Damien. If I want to use a UNIX socket
to do the IPC, do I have to create the socket myself? launchd doesn't
seem to create and
bind it when I use the SockPathName key...
J
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden