[launchd-dev] UserName ignored on per-user LaunchAgents

Kevin Van Vechten kvv at apple.com
Wed Dec 5 09:46:03 PST 2007

On Dec 5, 2007, at 9:31 AM, Nathan Duran wrote:

> On Dec 5, 2007, at 12:48 AM, Kevin Van Vechten wrote:
>> With launchd, it's now possible to get rid of the setuid binary  
>> (which avoids a whole class of potential privilege escalation  
>> vulnerabilities) and replace it with a LaunchDaemon that executes  
>> in a privileged context.  The Cocoa application can send an IPC  
>> message to the Daemon, and the daemon can perform the privileged  
>> operation (Authorization API can still be used to create an  
>> "external form" that can be validated across the IPC channel).
> I'm afraid I don't understand what is meant by the term "external  
> form" here. Are you suggesting that the authorization API be used to  
> prevent rogue applications from utilizing the IPC services vended by  
> the daemon?

The term "external form" is just taken from the relevant Authorization  
API -- AuthorizationMakeExternalForm(...).


Depending on the context of the privileged operation, yes, it makes  
sense to vet incoming IPC requests with the Authorization API before  
performing the operation.  For example, we have a launch-on-demand  
helper that performs some privileged operations on behalf of System  
Preferences.app; but it only performs the operation if the  
"system.preferences" right has been acquired (via clicking the lock  
icon in System Preferences).

- Kevin

More information about the launchd-dev mailing list