On Dec 5, 2007, at 9:31 AM, Nathan Duran wrote:
On Dec 5, 2007, at 12:48 AM, Kevin Van Vechten wrote:
With launchd, it's now possible to get rid of the setuid binary (which avoids a whole class of potential privilege escalation vulnerabilities) and replace it with a LaunchDaemon that executes in a privileged context. The Cocoa application can send an IPC message to the Daemon, and the daemon can perform the privileged operation (Authorization API can still be used to create an "external form" that can be validated across the IPC channel).
I'm afraid I don't understand what is meant by the term "external form" here. Are you suggesting that the authorization API be used to prevent rogue applications from utilizing the IPC services vended by the daemon?
The term "external form" is just taken from the relevant Authorization API -- AuthorizationMakeExternalForm(...). <http://developer.apple.com/documentation/Security/Conceptual/authorization_c...
Depending on the context of the privileged operation, yes, it makes sense to vet incoming IPC requests with the Authorization API before performing the operation. For example, we have a launch-on-demand helper that performs some privileged operations on behalf of System Preferences.app; but it only performs the operation if the "system.preferences" right has been acquired (via clicking the lock icon in System Preferences). - Kevin