Re: KUNCUserNotificationCallBack
Re: KUNCUserNotificationCallBack
- Subject: Re: KUNCUserNotificationCallBack
- From: Eric Long <email@hidden>
- Date: Mon, 20 Aug 2007 08:28:18 -0700
- Thread-topic: KUNCUserNotificationCallBack
> I think you're mixing up what launchd will do. By definition an
> agent is running on behalf of a particular user, and thus doesn't run
> as root.
> o Running a GUI program as root is /strongly/ discouraged.
>
> o Vulnerable to what, exactly?
>
> o Authorization Services already has an architecture for running
> GUI-oriented security code as a trusted user that is not run (uid 92,
> "securityagent"). This is the user that displays the standard
> authorisation dialogs, and that's one of the many reasons we
> recommend that you do authorisation via Authorization Services.
I get the limitation of not being able to authorize in the kernel. I also
understand that my agent should run in a user session and not as root. I
accept both limitations. But having no ability to even get an alert message
out is a problem for me.
What I'm saying is, launchd runs as root. You cannot kill launchd without
authenticating. I have an agent that runs as it should in each user
session, not as root. Someone could maliciously kill my agent to circumvent
the protection system it is a part of. launchd is extremely fast at
relaunching it. I know it will get relaunched if I can use launchd, unless
someone with root access gets involved trying to kill it. So, I expect to be
able to post UI through it at some instance.
If I can't use launchd, I must create my own launch app to keep up my agent
and add a log-in item for it, my "keep it up" app is being run with the
log-in user's privileges. Anyone can kill it, then kill the agent, then I
have no UI to tell the user something is wrong.
Now, granted, the person killing things off isn't the beneficiary of the UI
I might present, pre-supposing that this is someone sneaking his attack
while the user has stepped away and the machine was not locked it in
screensaver mode, or something similar. But, the actual user, on return,
will go on thinking things are normal, if I can't display something to
indicate what happened. I can log the events, sure, but that's not exactly
the siren I'd like. This is an ongoing protection and I'd like to be able
to periodically notify the user of the problem until it is corrected.
I could take extreme action and lock everything down to ensure the user is
protected, but that will lead to confusion unless I can also make the user
aware of why things are locked down.
Given that the problems with launchd and gui agents is limited to 10.4.x, I
could use the KUNC API still present in 10.4.x to address this problem only
on those systems. But is that the right thing to do? Is there a better
way?
Eric
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden