On Aug 21, 2009, at 1:33 AM, Seth Willits wrote:
I'm looking at some code* in an app which uses a helper tool, in
order to open and read the contents of a protected file. Normally
the user does not have privileges to read this file, hence the
authorization. Here's the process it goes through:
App:
AuthorizationCreate
AuthorizationCopyRights(my.right, PreAuthorize | ExtendRights)
AuthorizationMakeExternalForm
Create a pipe, fork, child does execle(path/to/tool)
Write the external form of the auth ref to the pipe the tool has open
Tool:
AuthorizationCreateFromExternalForm
AuthorizationCopyRights(my.right, ExtendRights)
descriptor = open(path/to/file, O_RDONLY)
Send the descriptor back to the app on the pipe
exit
App:
Gets the descriptor back from the tool
fdopen(descriptor)
... read from the file all it wants ...
First, you should consider replacing all of the above with an
invocation of the authopen tool. See its man page and do a full-text
search for it in Xcode.
I don't understand how the app allowed to use that file descriptor
to read the file's contents. The tool is running as root, so it's
obvious that it is able to open the file, but how can another
process just start using that descriptor? Is it because it's the
parent process? If so: I always thought that only worked the other
way around - child processes could use *parent* process descriptors.
If NOT, then what is it? The app only preauthorized some arbitrary
right, it didn't actually get any privileges to open and read a
protected file.
As Dave Keck said, you can pass file descriptors between processes.
The second bit of information is that permissions are tested at the
time of the open(). Once you have the file descriptor, you can use it
without further checks. For example, it's best practice for a
privileged tool to drop its privileges after it's used them. So, it
might open all files requiring root access privileges, drop root
privilege, and then use the opened files. (In this case, the tool
exits immediately, so that's not necessary.)
Anyway, this principle applies to the recipient of the file
descriptor, too. In this case, it's the parent process, but that's
not particularly relevant.
Regards,
Ken
_______________________________________________
Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)
Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com
This email sent to arch...@mail-archive.com
