• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Security Info
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security Info

  • Subject: Re: Security Info
  • From: Quinn <email@hidden>
  • Date: Tue, 8 Oct 2002 10:04:36 +0100
At 21:42 +0100 7/10/02, email@hidden wrote:
Something I am now wondering is why most of the network configuration
tools are having to re-inventing the wheel, with having to add this extra
external program, which actually does the work. I know each are slight
different, but we are all doing the basic same thing.

The backend associated with System Preferences is not public because its design is intimately tied in with the design of System Preferences itself; it was never meant to be an API.

I have noticed the scselect and scutil, which I'm guessing the network
system preference use's itself,

That's not right. scselect is used by the Apple menu to switch locations, and scutil is a debugging tool that is only designed for interactive use. Neither of these are the System Preferences backend.

Note that scutil is not setuid. In order to make changes using it you have to already be running as root, so it doesn't buy you anything.

This will also helps if a network administrator wants to
removed scselect, he can disable the changing of these, but if we adding
other utils to do this, this just make's this a more of a headache and a
security issue, as I guess everyone would be using a single point of entry

I'm not sure what Apple's official take on this is (Alan?), but it seems that fork/exec'ing scselect is a pretty reasonable approach to switching locations. That is, after all, what it's designed for. And your rationale about allowing sysadmins to disable location changing is spot on; I even filed a bug against scselect requesting that it integrate with Auth Services in this area [2938322].

The ongoing lack of capabilities-based authorization on Mac OS X is definitely something that Apple is looking at. However, our security engineering team doesn't seem to understand the urgency of this. My recommendation is that you discuss your issues with them on on the mailing list where they hang out.

<http://www.lists.apple.com/apple-cdsa>

S+E
--
Quinn "The Eskimo!" <http://www.apple.com/developer/>
Apple Developer Technical Support * Networking, Communications, Hardware
_______________________________________________
macnetworkprog mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/macnetworkprog
Do not post admin requests to the list. They will be ignored.
  • Follow-Ups:
    • Re: Security Info
      • From: Allan Nathanson <email@hidden>
References: 
 >Re: Security Info (From: <email@hidden>)

  • Prev by Date: Re: Using MoreSCF
  • Next by Date: Re: Airport base station logging
  • Previous by thread: Re: Security Info
  • Next by thread: Re: Security Info
  • Index(es):
    • Date
    • Thread