[launchd-dev] Distributed Objects communication with a launchd "on-demand" daemon
Quinn
eskimo1 at apple.com
Fri Dec 18 01:38:29 PST 2009
At 00:09 -0500 17/12/09, Frank Rizzo wrote:
>I am trying to create a launchd daemon that is started "on-demand"
>by a client call to a TCP port number and then communicate with the
>client via Distributed Objects.
I'd recommend that you think long and hard before taking this
approach. There are two issues:
o DO over TCP -- DO over TCP has serious practical issues. It looks
like you've switched to Mach messaging anyway, so I won't go into the
details.
o DO across security domains -- DO is not a great solution for
cross-security domain communications. So if your plan is to run your
DO code as a daemon and make its service available to non-privileged
users, you should think again.
There are numerous reasons why DO is problematic security-wise. The
most obvious is that DO makes heavy use of Cocoa archiving (to
serialise objects and send them over the wire), and Cocoa archives
are not recommended across security domains.
<http://developer.apple.com/iPhone/library/documentation/Security/Conceptual/SecureCodingGuide/Articles/ValidatingInput.html#//apple_ref/doc/uid/TP40007246>
Beyond that, DO is a huge and complex piece of code with lots of
flexibility on lots of axes, and adding all of that code to your
attack surface [1] is a bad idea.
S+E
--
Quinn "The Eskimo!" <http://www.apple.com/developer/>
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
[1] <http://en.wikipedia.org/wiki/Attack_surface>
More information about the launchd-dev
mailing list