• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Kernel NKE projects user space daemon.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Kernel NKE projects user space daemon.

  • Subject: Re: Kernel NKE projects user space daemon.
  • From: Mike Smith <email@hidden>
  • Date: Tue, 3 Jan 2006 23:27:26 -0800

On Jan 3, 2006, at 12:14 PM, matt jaffa wrote:

So my NKE gets the pid of the process sending information out. I send this pid to a daemon that will lookup that process path based on the pid using the sysctl KERN_PROC methods. But this sysctl will fail if it is looking up the path on a process owned by root. So my daemon has to be running as root to get this info, and I want to be able to have a daemon for each logged in user so the UI can be displayed to the current active user.
 
I could spawn a process with popen ( ps ) and gather the path that way, but ps will be spawned everytime I get a new pid my NKE doesn't know about. Is this a bad thing? Spawning a lot of little "ps" just to get this information.

Don't use popen, as it invokes the shell and that puts you at risk (the shell may be invalid, or its startup files may have been coopted).

However, given that you're about to draw UI and block waiting for the user, running ps (use a custom output format to override any defaults, and invoke ps via an explicit path) is not going to cause any observable overhead.

Even if your application supports saved rules, running ps once per application is not a major hit.

ps can still be wrong, but it is more likely to both be right and to be maintained in such a fashion that it prints reasonable output.

 = Mike


 
Thanks,
Matt

 
On 1/3/06, Mike Smith <email@hidden> wrote:

On Jan 3, 2006, at 8:31 AM, matt jaffa wrote:

> I have a NKE project that needs a user space daemon to be running
> to get information back from the user.
> I have this working and everything, and have a daemon launched for
> each individual user that runs the program.
>
> I have my user space daemon with these privileges, 4755, which
> means the setuid bit is set for my daemon executable so that it can
> elevate itself to perform  a process id lookup. My question is what
> does Apple/Security feel about my application having the setuid bit
> set?

Matt,

Firstly, many thanks for picking a sensible architecture for your
application.

I'm a little confused about "perform a process id lookup" though.
What are you trying to do, and what specific interface(s) are you
using that require privilege?

As a general rule, having your daemon run setuid inside the user's
environment is discouraged.

= Mike


 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Follow-Ups:
    • Re: Kernel NKE projects user space daemon.
      • From: Stephane Sudre <email@hidden>
References: 
 >Kernel NKE projects user space daemon. (From: matt jaffa <email@hidden>)
 >Re: Kernel NKE projects user space daemon. (From: Mike Smith <email@hidden>)
 >Re: Kernel NKE projects user space daemon. (From: matt jaffa <email@hidden>)

  • Prev by Date: Re: Kernel NKE projects user space daemon.
  • Next by Date: Re: Kernel NKE projects user space daemon.
  • Previous by thread: Re: Kernel NKE projects user space daemon.
  • Next by thread: Re: Kernel NKE projects user space daemon.
  • Index(es):
    • Date
    • Thread