site_archiver@lists.apple.com Delivered-To: darwin-kernel@lists.apple.com Thread-index: AcfjPru0+ixFHk8xEdyJjAAX8si2KA== Thread-topic: KUNCUserNotificationCallBack User-agent: Microsoft-Entourage/11.3.6.070618
I think you're mixing up what launchd will do. By definition an agent is running on behalf of a particular user, and thus doesn't run as root.
o Running a GUI program as root is /strongly/ discouraged.
o Vulnerable to what, exactly?
o Authorization Services already has an architecture for running GUI-oriented security code as a trusted user that is not run (uid 92, "securityagent"). This is the user that displays the standard authorisation dialogs, and that's one of the many reasons we recommend that you do authorisation via Authorization Services.
I get the limitation of not being able to authorize in the kernel. I also understand that my agent should run in a user session and not as root. I accept both limitations. But having no ability to even get an alert message out is a problem for me. What I'm saying is, launchd runs as root. You cannot kill launchd without authenticating. I have an agent that runs as it should in each user session, not as root. Someone could maliciously kill my agent to circumvent the protection system it is a part of. launchd is extremely fast at relaunching it. I know it will get relaunched if I can use launchd, unless someone with root access gets involved trying to kill it. So, I expect to be able to post UI through it at some instance. If I can't use launchd, I must create my own launch app to keep up my agent and add a log-in item for it, my "keep it up" app is being run with the log-in user's privileges. Anyone can kill it, then kill the agent, then I have no UI to tell the user something is wrong. Now, granted, the person killing things off isn't the beneficiary of the UI I might present, pre-supposing that this is someone sneaking his attack while the user has stepped away and the machine was not locked it in screensaver mode, or something similar. But, the actual user, on return, will go on thinking things are normal, if I can't display something to indicate what happened. I can log the events, sure, but that's not exactly the siren I'd like. This is an ongoing protection and I'd like to be able to periodically notify the user of the problem until it is corrected. I could take extreme action and lock everything down to ensure the user is protected, but that will lead to confusion unless I can also make the user aware of why things are locked down. Given that the problems with launchd and gui agents is limited to 10.4.x, I could use the KUNC API still present in 10.4.x to address this problem only on those systems. But is that the right thing to do? Is there a better way? Eric _______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-kernel mailing list (Darwin-kernel@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-kernel/site_archiver%40lists.a... This email sent to site_archiver@lists.apple.com