how to run my app in privileged mode

Michael Vannorsdel mikevann at gmail.com
Wed Jun 4 03:24:56 PDT 2008 

There's programmer mistakes to be made for any kind of privileged  
program, AppKit or not.  Foundation has NSTask which allows you to run  
shell scripts, scripts that can be modified to do other unintended and  
damaging things.  But I don't see this as a reason Foundation tools  
should never be used as a privileged process.  Any privileged process  
can be labeled as "evil" given theoretical possibilities.  In the end  
privileged AppKit processes are fully supported on Mac OS X and it's  
ultimately up to the programmer to ensure every effort has been made  
to protect against abuse.  AppKit does add some different gotchas but  
I wouldn't go as far to say it will always be "evil".

To the OP: the AppleScript issues should be taken seriously of  
course.  But until he says otherwise I don't want to assume he's  
incapable of properly handling a privileged application.


On Jun 3, 2008, at 7:16 PM, Charles Srstka wrote:

> Just to explain a bit *why* this is evil and why you absolutely  
> should not do this, here's a little demonstration which you can try  
> on your own machine if you like:
>
> my-machine:~ me$ sudo -s
> Password:
> bash-3.2# /Applications/TextEdit.app/Contents/MacOS/TextEdit &
> [1] 51668
> bash-3.2# exit
> exit
> my-machine:~ me$ mkdir testfolder
> my-machine:~ me$ touch testfolder/testfile
> my-machine:~ me$ sudo chown root:wheel testfolder
> my-machine:~ me$ sudo chmod 700 testfolder
> my-machine:~ me$ ls -l testfolder
> ls: testfolder: Permission denied
> my-machine:~ me$ osascript -e 'tell application "TextEdit" to do  
> shell script "ls -l ~/testfolder"'
> -rw-r--r--  1 me  me  0 Jun  3 20:09 testfile
>
> As you can see from the above example, if a Cocoa app is running as  
> root, AppleScript combined with "do shell script" can be used by any  
> unprivileged user to run commands as root. Effectively this means  
> that if even a single Cocoa app is running as root, you've  
> effectively given root access to every other binary on the entire  
> system. Needless to say, that's a bad thing.
>
> Personally, I consider this a large security flaw in OS X, since  
> it's easily possible for a developer to do what the OP here is  
> thinking of doing, and the user could run this without necessarily  
> realizing what is going on, and it would open the door for any virus  
> or trojan to become root and take over the whole system. However,  
> every time I report this, it gets flagged as "Behaves Correctly"  
> because GUI apps aren't supposed to run as root anyway. Well yes,  
> they're not. But what if they *do* somehow? :-/

More information about the MacOSX-dev mailing list