Re: Executing an application
Re: Executing an application
- Subject: Re: Executing an application
- From: Jacques Vidrine <email@hidden>
- Date: Mon, 13 Oct 2008 09:44:05 -0700
On Oct 11, 2008, at 9:23 PM, Todd Heberlein wrote:
Double-clicking an app will cause lauchd to fork and start the
process. One Leopard posix_spawn is used to start the new process.
E.g.
Looking at the launchd source code, it looks like it sets the
appropriate audit mask *before* calling posix_spawn().
So is it possible that posix_spawn() doesn't create an audit record?
This seems challenging... there may be no way to identify in the
audit trail the name of a program started with launchd (?). This
will make security auditing difficult.
It is likely that there are some launchd code paths which do not
result in setting the audit mask before invoking posix_spawn(). There
is significant remediation and enhancement work happening in this area
for Snow Leopard.
Cheers,
--
Jacques
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden