[launchd-dev] UserName ignored on per-user LaunchAgents
Kevin Van Vechten
kvv at apple.com
Wed Dec 5 09:46:03 PST 2007
On Dec 5, 2007, at 9:31 AM, Nathan Duran wrote:
> On Dec 5, 2007, at 12:48 AM, Kevin Van Vechten wrote:
>
>> With launchd, it's now possible to get rid of the setuid binary
>> (which avoids a whole class of potential privilege escalation
>> vulnerabilities) and replace it with a LaunchDaemon that executes
>> in a privileged context. The Cocoa application can send an IPC
>> message to the Daemon, and the daemon can perform the privileged
>> operation (Authorization API can still be used to create an
>> "external form" that can be validated across the IPC channel).
>
> I'm afraid I don't understand what is meant by the term "external
> form" here. Are you suggesting that the authorization API be used to
> prevent rogue applications from utilizing the IPC services vended by
> the daemon?
The term "external form" is just taken from the relevant Authorization
API -- AuthorizationMakeExternalForm(...).
<http://developer.apple.com/documentation/Security/Conceptual/authorization_concepts/03authtasks/chapter_3_section_3.html
>
Depending on the context of the privileged operation, yes, it makes
sense to vet incoming IPC requests with the Authorization API before
performing the operation. For example, we have a launch-on-demand
helper that performs some privileged operations on behalf of System
Preferences.app; but it only performs the operation if the
"system.preferences" right has been acquired (via clicking the lock
icon in System Preferences).
- Kevin
More information about the launchd-dev
mailing list