site_archiver@lists.apple.com Delivered-To: darwin-kernel@lists.apple.com On 20 Aug 2007, at 16:28, Eric Long wrote: I think you're mixing up what launchd will do. By definition an agent is running on behalf of a particular user, and thus doesn't run as root. o Running a GUI program as root is /strongly/ discouraged. o Vulnerable to what, exactly? o Authorization Services already has an architecture for running GUI-oriented security code as a trusted user that is not run (uid 92, "securityagent"). This is the user that displays the standard authorisation dialogs, and that's one of the many reasons we recommend that you do authorisation via Authorization Services. Eric _______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-kernel mailing list (Darwin-kernel@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-kernel/adc%40jeremyp.net This email sent to adc@jeremyp.net _______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-kernel mailing list (Darwin-kernel@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-kernel/site_archiver%40lists.a... If I can't use launchd, I must create my own launch app to keep up my agent and add a log-in item for it, my "keep it up" app is being run with the log-in user's privileges. Anyone can kill it, then kill the agent, then I have no UI to tell the user something is wrong. No. Only the user that owns the process or a user with admin privileges. In the former case, see my comments below, in the latter case you've already lost. Now, granted, the person killing things off isn't the beneficiary of the UI I might present, pre-supposing that this is someone sneaking his attack while the user has stepped away and the machine was not locked it in screensaver mode, or something similar. I think the ability to subvert your UI agent is the least of the security issues in this circumstance. The attacker already has access to all of the logged in person's files including, incidentally, the ~/Library/LaunchAgents directory. But, the actual user, on return, will go on thinking things are normal, if I can't display something to indicate what happened. I can log the events, sure, but that's not exactly the siren I'd like. This is an ongoing protection and I'd like to be able to periodically notify the user of the problem until it is corrected. I could take extreme action and lock everything down to ensure the user is protected, but that will lead to confusion unless I can also make the user aware of why things are locked down. Given that the problems with launchd and gui agents is limited to 10.4.x, I could use the KUNC API still present in 10.4.x to address this problem only on those systems. But is that the right thing to do? Is there a better way? This email sent to site_archiver@lists.apple.com