On Dec 5, 2007, at 10:11 AM, Nathan Duran wrote:
On Dec 5, 2007, at 9:46 AM, Kevin Van Vechten wrote:
The term "external form" is just taken from the relevant Authorization API -- AuthorizationMakeExternalForm(...).
Ah, now I remember. That's one of those APIs whose very nature encourages code recycling and I know haven't actually looked at its documentation since the last time it was updated.
So if you still have to present the user with an authentication dialog then, from *their* point of view, is there any difference between the two methodologies (helper tool vs. daemons-on-demand)?
Absolutely. Helper tools require a setuid executable bit to be set; they're also inherently less secure -- every environment variable used by every library linked against is a potential source of attack. Launch-on-demand helpers start from a clean environment, avoiding this class of vulnerabilities. Additionally setuid executable binaries get in the way of drag- installs. Today, launch-on-demand helpers present the same obstacles to drag-installs because we'd recommend secure ownership (root:wheel); however this is a matter of policy (permissions are used to establish trust), not mechanism (setuid is required to escalate privilege). As we move to better mechanisms for establishing trust (code signing), we can eventually alleviate the ownership requirements and allow for drag installs. We're clearly not there yet, but moving to launch-on-demand is a step in this direction. - Kevin