[launchd-dev] UserName ignored on per-user LaunchAgents
Kevin Van Vechten
kvv at apple.com
Wed Dec 5 14:50:27 PST 2007
On Dec 5, 2007, at 10:11 AM, Nathan Duran wrote:
> On Dec 5, 2007, at 9:46 AM, Kevin Van Vechten wrote:
>> The term "external form" is just taken from the relevant
>> Authorization API -- AuthorizationMakeExternalForm(...).
> Ah, now I remember. That's one of those APIs whose very nature
> encourages code recycling and I know haven't actually looked at its
> documentation since the last time it was updated.
> So if you still have to present the user with an authentication
> dialog then, from *their* point of view, is there any difference
> between the two methodologies (helper tool vs. daemons-on-demand)?
Absolutely. Helper tools require a setuid executable bit to be set;
they're also inherently less secure -- every environment variable used
by every library linked against is a potential source of attack.
Launch-on-demand helpers start from a clean environment, avoiding this
class of vulnerabilities.
Additionally setuid executable binaries get in the way of drag-
installs. Today, launch-on-demand helpers present the same obstacles
to drag-installs because we'd recommend secure ownership (root:wheel);
however this is a matter of policy (permissions are used to establish
trust), not mechanism (setuid is required to escalate privilege). As
we move to better mechanisms for establishing trust (code signing), we
can eventually alleviate the ownership requirements and allow for drag
installs. We're clearly not there yet, but moving to launch-on-demand
is a step in this direction.
More information about the launchd-dev