[launchd-dev] UserName ignored on per-user LaunchAgents

Kevin Van Vechten kvv at apple.com
Wed Dec 5 14:50:27 PST 2007

On Dec 5, 2007, at 10:11 AM, Nathan Duran wrote:

> On Dec 5, 2007, at 9:46 AM, Kevin Van Vechten wrote:
>> The term "external form" is just taken from the relevant  
>> Authorization API -- AuthorizationMakeExternalForm(...).
> Ah, now I remember. That's one of those APIs whose very nature  
> encourages code recycling and I know haven't actually looked at its  
> documentation since the last time it was updated.
> So if you still have to present the user with an authentication  
> dialog then, from *their* point of view, is there any difference  
> between the two methodologies (helper tool vs. daemons-on-demand)?

Absolutely.  Helper tools require a setuid executable bit to be set;  
they're also inherently less secure -- every environment variable used  
by every library linked against is a potential source of attack.   
Launch-on-demand helpers start from a clean environment, avoiding this  
class of vulnerabilities.

Additionally setuid executable binaries get in the way of drag- 
installs.  Today, launch-on-demand helpers present the same obstacles  
to drag-installs because we'd recommend secure ownership (root:wheel);  
however this is a matter of policy (permissions are used to establish  
trust), not mechanism (setuid is required to escalate privilege).  As  
we move to better mechanisms for establishing trust (code signing), we  
can eventually alleviate the ownership requirements and allow for drag  
installs.  We're clearly not there yet, but moving to launch-on-demand  
is a step in this direction.

- Kevin

More information about the launchd-dev mailing list