Re: Safe frameworks for privileged tools?
That's a good table to know/have handy. Thanks. Okay, so LaunchServices is out as well. Is there *any* reliable way to know if a directory is a bundle or package without using NSWorkspace or LaunchServices? (I'm also going to have to omit Spotlight, since I can't be guaranteed it's enabled on a given machine.) -- m-s On 23 Apr, 2008, at 00:17, stephen joseph butler wrote: On Tue, Apr 22, 2008 at 10:52 PM, Michael Watson mikey- [EMAIL PROTECTED] wrote: I would like to use LaunchServices for this, but wasn't sure if it was kosher to link to ApplicationServices.framework from a privileged tool. Are there guidelines as to which frameworks should and shouldn't be used in privileged tools? I know nothing can ever be safe, but some are surely more dangerous than others, and I'd love some guidance. This is the definitive list of safe frameworks: http://developer.apple.com/technotes/tn2005/tn2083.html#SECFRAMEWORKCROSSREFERENCE Unfortunately, ApplicationServices is a no. However, this blog posts suggests some instances where it might be safe: http://unixjunkie.blogspot.com/2006/10/launchservices-from-root-daemon.html ___ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/cocoa-dev/mikey-san %40bungie.org This email sent to [EMAIL PROTECTED] ___ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to [EMAIL PROTECTED]
Re: Safe frameworks for privileged tools?
Does the target directory require privilege to see, or does it just happen to be used by a privileged tool? If the latter, you could always rely on a 2nd executable (without privilege) to examine the directory and return its results to your privileged program. Kevin G. That's a good table to know/have handy. Thanks. Okay, so LaunchServices is out as well. Is there *any* reliable way to know if a directory is a bundle or package without using NSWorkspace or LaunchServices? (I'm also going to have to omit Spotlight, since I can't be guaranteed it's enabled on a given machine.) -- m-s On 23 Apr, 2008, at 00:17, stephen joseph butler wrote: On Tue, Apr 22, 2008 at 10:52 PM, Michael Watson [EMAIL PROTECTED] wrote: I would like to use LaunchServices for this, but wasn't sure if it was kosher to link to ApplicationServices.framework from a privileged tool. Are there guidelines as to which frameworks should and shouldn't be used in privileged tools? I know nothing can ever be safe, but some are surely more dangerous than others, and I'd love some guidance. This is the definitive list of safe frameworks: http://developer.apple.com/technotes/tn2005/tn2083.html#SECFRAMEWORKCROSSREFERENCE Unfortunately, ApplicationServices is a no. However, this blog posts suggests some instances where it might be safe: http://unixjunkie.blogspot.com/2006/10/launchservices-from-root-daemon.html ___ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to [EMAIL PROTECTED]
Re: Safe frameworks for privileged tools?
That's the hang-up. The target directory may require privilege to see. -- m-s On 23 Apr, 2008, at 02:42, Kevin Grant wrote: Does the target directory require privilege to see, or does it just happen to be used by a privileged tool? If the latter, you could always rely on a 2nd executable (without privilege) to examine the directory and return its results to your privileged program. Kevin G. That's a good table to know/have handy. Thanks. Okay, so LaunchServices is out as well. Is there *any* reliable way to know if a directory is a bundle or package without using NSWorkspace or LaunchServices? (I'm also going to have to omit Spotlight, since I can't be guaranteed it's enabled on a given machine.) -- m-s On 23 Apr, 2008, at 00:17, stephen joseph butler wrote: On Tue, Apr 22, 2008 at 10:52 PM, Michael Watson [EMAIL PROTECTED] wrote: I would like to use LaunchServices for this, but wasn't sure if it was kosher to link to ApplicationServices.framework from a privileged tool. Are there guidelines as to which frameworks should and shouldn't be used in privileged tools? I know nothing can ever be safe, but some are surely more dangerous than others, and I'd love some guidance. This is the definitive list of safe frameworks: http://developer.apple.com/technotes/tn2005/tn2083.html#SECFRAMEWORKCROSSREFERENCE Unfortunately, ApplicationServices is a no. However, this blog posts suggests some instances where it might be safe: http://unixjunkie.blogspot.com/2006/10/launchservices-from-root-daemon.html ___ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to [EMAIL PROTECTED]
Re: Safe frameworks for privileged tools?
On Apr 23, 2008, at 1:18 AM, Michael Watson wrote: Okay, so LaunchServices is out as well. Is there *any* reliable way to know if a directory is a bundle or package without using NSWorkspace or LaunchServices? Here's some info: http://developer.apple.com/documentation/CoreFoundation/Conceptual/CFBundles/Concepts/BundlesAndFinder.html Unfortunately, there's still a lot of voodoo left in that. -Ken ___ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to [EMAIL PROTECTED]
Re: Safe frameworks for privileged tools?
On Wed, Apr 23, 2008 at 11:42 AM, Dave Camp [EMAIL PROTECTED] wrote: Unless I'm reading the OP wrong, he's writing a privileged helper tool, not a daemon. Given that, I don't think the above documents are applicable. None of what I know is official, but just gathered and extrapolated from years of reading information about this. So I might be wrong... who knows. The unsafe frameworks make connections to the default window server. As a program launched from Finder/Dock/et al, this will always work as expected. Launched from ssh or root, there are some caveats. For ssh, they will work fine as long as the same user is logged onto the GUI. As soon as the user logs out, your program loses its connection and might crash. For root, they will work as long as the console user stays the same. If someone uses fast user switching, or logs out, then the program's connection changes and it might crash. In any event, none of the unsafe frameworks are documented as working in any conditions other than the normal ones. People may get them to work 90% of the time under other conditions, but that's unsupported and may change. So unless DTS tells you otherwise, I'd stay away. But that's me... maybe 90% is good enough for you. ___ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to [EMAIL PROTECTED]
Re: Safe frameworks for privileged tools?
Yes, it's a helper tool. It runs for a couple of seconds (under normal conditions) and exits immediately. It interacts with the file system by reading information about some directories, so its launched duration is, of course, bound to the responsiveness of the hard drive on which it's operating. As such, a couple of seconds might be five or ten seconds on machines where the drive is spinning up, otherwise busy, etc. It's certainly possible that someone might invoke fast user switching right in the middle of the tool running, but it's /probably/ not an issue. I'm still not quite convinced it isn't, just yet. I need to do more thinking about it. The discussion so far has been very helpful. As far as connecting to the window server goes, Apple states: http://developer.apple.com/technotes/tn2005/tn2083.html#SECWINDOWSERVER Apple plans to disable the global window server service in a future release of Mac OS X. Do not write any new code that uses the global window server service. So when you say default window server, are you speaking of the global window server, or the default window server associated with the current console session? -- m-s On 23 Apr, 2008, at 13:04, stephen joseph butler wrote: On Wed, Apr 23, 2008 at 11:42 AM, Dave Camp [EMAIL PROTECTED] wrote: Unless I'm reading the OP wrong, he's writing a privileged helper tool, not a daemon. Given that, I don't think the above documents are applicable. None of what I know is official, but just gathered and extrapolated from years of reading information about this. So I might be wrong... who knows. The unsafe frameworks make connections to the default window server. As a program launched from Finder/Dock/et al, this will always work as expected. Launched from ssh or root, there are some caveats. For ssh, they will work fine as long as the same user is logged onto the GUI. As soon as the user logs out, your program loses its connection and might crash. For root, they will work as long as the console user stays the same. If someone uses fast user switching, or logs out, then the program's connection changes and it might crash. In any event, none of the unsafe frameworks are documented as working in any conditions other than the normal ones. People may get them to work 90% of the time under other conditions, but that's unsupported and may change. So unless DTS tells you otherwise, I'd stay away. But that's me... maybe 90% is good enough for you. ___ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/cocoa-dev/mikey-san %40bungie.org This email sent to [EMAIL PROTECTED] ___ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to [EMAIL PROTECTED]
Re: Safe frameworks for privileged tools?
On 24/04/2008, at 4:35 AM, Michael Watson wrote: Yes, it's a helper tool. It runs for a couple of seconds (under normal conditions) and exits immediately. It interacts with the file system by reading information about some directories, so its launched duration is, of course, bound to the responsiveness of the hard drive on which it's operating. As such, a couple of seconds might be five or ten seconds on machines where the drive is spinning up, otherwise busy, etc. It's certainly possible that someone might invoke fast user switching right in the middle of the tool running, but it's /probably/ not an issue. I'm still not quite convinced it isn't, just yet. I need to do more thinking about it. The discussion so far has been very helpful. As far as connecting to the window server goes, Apple states: http://developer.apple.com/technotes/tn2005/ tn2083.html#SECWINDOWSERVER Apple plans to disable the global window server service in a future release of Mac OS X. Do not write any new code that uses the global window server service. So when you say default window server, are you speaking of the global window server, or the default window server associated with the current console session? The document you are looking at is talking about unsafe frameworks for daemons. You're writing a helper tool, not a daemon, so it's not applicable. A helper tool (that's run as a helper to a GUI application) will run fine linked to any frameworks. If the helper tool is spawned by a GUI process, it will inherit its session and so there's no issue with it using the global window server service. The only issue is what security hazards linking to other frameworks introduce. The idea is that you should link to as little as possible so as to minimise the risk and you should probably avoid using Objective-C (although I don't actually know if there are any security risks from using Objective-C— non privileged Input Managers are surely not loaded). I would have thought that any security risks that exist from linking to other frameworks are considered bugs which means that there won't be a list of “safe” frameworks anywhere and if you find any issues, they need to be reported to Apple. Kind regards, Chris smime.p7s Description: S/MIME cryptographic signature ___ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to [EMAIL PROTECTED]
Safe frameworks for privileged tools?
Hey all, I'm writing a privileged helper tool that at one point needs to determine if a given directory is a package. Normally, I'd use NSWorkspace, but that's part of AppKit, which is tied to Window Server. I don't link to AppKit in my privileged tool, so I don't get the oh-so-convenvient -isFilePackageAtPath: method. I would like to use LaunchServices for this, but wasn't sure if it was kosher to link to ApplicationServices.framework from a privileged tool. Are there guidelines as to which frameworks should and shouldn't be used in privileged tools? I know nothing can ever be safe, but some are surely more dangerous than others, and I'd love some guidance. -- m-s ___ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to [EMAIL PROTECTED]
Re: Safe frameworks for privileged tools?
On Tue, Apr 22, 2008 at 10:52 PM, Michael Watson [EMAIL PROTECTED] wrote: I would like to use LaunchServices for this, but wasn't sure if it was kosher to link to ApplicationServices.framework from a privileged tool. Are there guidelines as to which frameworks should and shouldn't be used in privileged tools? I know nothing can ever be safe, but some are surely more dangerous than others, and I'd love some guidance. This is the definitive list of safe frameworks: http://developer.apple.com/technotes/tn2005/tn2083.html#SECFRAMEWORKCROSSREFERENCE Unfortunately, ApplicationServices is a no. However, this blog posts suggests some instances where it might be safe: http://unixjunkie.blogspot.com/2006/10/launchservices-from-root-daemon.html ___ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to [EMAIL PROTECTED]
