[launchd-dev] Distributed Objects communication with a launchd "on-demand" daemon

Quinn eskimo1 at apple.com
Fri Dec 18 01:38:29 PST 2009


At 00:09 -0500 17/12/09, Frank Rizzo wrote:
>I am trying to create a launchd daemon that is started "on-demand" 
>by a client call to a TCP port number and then communicate with the 
>client via Distributed Objects.

I'd recommend that you think long and hard before taking this 
approach.  There are two issues:

o DO over TCP -- DO over TCP has serious practical issues.  It looks 
like you've switched to Mach messaging anyway, so I won't go into the 
details.

o DO across security domains -- DO is not a great solution for 
cross-security domain communications.  So if your plan is to run your 
DO code as a daemon and make its service available to non-privileged 
users, you should think again.

There are numerous reasons why DO is problematic security-wise.  The 
most obvious is that DO makes heavy use of Cocoa archiving (to 
serialise objects and send them over the wire), and Cocoa archives 
are not recommended across security domains.

<http://developer.apple.com/iPhone/library/documentation/Security/Conceptual/SecureCodingGuide/Articles/ValidatingInput.html#//apple_ref/doc/uid/TP40007246>

Beyond that, DO is a huge and complex piece of code with lots of 
flexibility on lots of axes, and adding all of that code to your 
attack surface [1] is a bad idea.

S+E
-- 
Quinn "The Eskimo!"                    <http://www.apple.com/developer/>
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

[1] <http://en.wikipedia.org/wiki/Attack_surface>


More information about the launchd-dev mailing list