Re: KUNCUserNotificationCallBack
Re: KUNCUserNotificationCallBack
- Subject: Re: KUNCUserNotificationCallBack
- From: Jeremy Pereira <email@hidden>
- Date: Tue, 21 Aug 2007 08:09:24 +0100
On 20 Aug 2007, at 16:28, Eric Long wrote:
I think you're mixing up what launchd will do. By definition an
agent is running on behalf of a particular user, and thus doesn't run
as root.
o Running a GUI program as root is /strongly/ discouraged.
o Vulnerable to what, exactly?
o Authorization Services already has an architecture for running
GUI-oriented security code as a trusted user that is not run (uid 92,
"securityagent"). This is the user that displays the standard
authorisation dialogs, and that's one of the many reasons we
recommend that you do authorisation via Authorization Services.
If I can't use launchd, I must create my own launch app to keep up
my agent
and add a log-in item for it, my "keep it up" app is being run with
the
log-in user's privileges. Anyone can kill it, then kill the agent,
then I
have no UI to tell the user something is wrong.
No. Only the user that owns the process or a user with admin
privileges. In the former case, see my comments below, in the latter
case you've already lost.
Now, granted, the person killing things off isn't the beneficiary
of the UI
I might present, pre-supposing that this is someone sneaking his
attack
while the user has stepped away and the machine was not locked it in
screensaver mode, or something similar.
I think the ability to subvert your UI agent is the least of the
security issues in this circumstance. The attacker already has
access to all of the logged in person's files including,
incidentally, the ~/Library/LaunchAgents directory.
But, the actual user, on return,
will go on thinking things are normal, if I can't display something to
indicate what happened. I can log the events, sure, but that's not
exactly
the siren I'd like. This is an ongoing protection and I'd like to
be able
to periodically notify the user of the problem until it is corrected.
I could take extreme action and lock everything down to ensure the
user is
protected, but that will lead to confusion unless I can also make
the user
aware of why things are locked down.
Given that the problems with launchd and gui agents is limited to
10.4.x, I
could use the KUNC API still present in 10.4.x to address this
problem only
on those systems. But is that the right thing to do? Is there a
better
way?
Eric
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden