Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'Create a Sandbox for apps using folder actions' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Create a Sandbox for apps using folder actions
Authored by: SOX on May 27, '04 10:24:07AM
When an application opens another application, the latter runs as the current logged-in user (you), not as the testuser

that's a surprise, I did not know setuid worked that way. In any case this means this is not secure since it can get out of it's sandbox and run arbitrary shell scripts. Of course it will probably defeat either badly written dangerous programs or most garden variety malicious programs, neither of whic is likey to make the effort needed to get out of the sandbox.

[ Reply to This | # ]

Create a Sandbox for apps using folder actions
Authored by: stcanard on May 27, '04 11:55:56AM

This is actually done for security.

setuid is generally intended to grant elevated (root) privilige to an executable. By reducing the privilige (going back to the original owner) when calling other programs, it reduces the chance of a security breach.



[ Reply to This | # ]
Create a Sandbox for apps using folder actions
Authored by: jpbjpbjpbjpb on May 27, '04 11:28:46PM
That would be because it doesn't work that way. Once you run a setuid program, it, and anything it spawns runs as that user. It can't change back to your userid unless you've set it to run setuid root, and the hint explicitly mentions running the sandboxed applications as an unprivileged test user, not as root.

[ Reply to This | # ]
Create a Sandbox for apps using folder actions
Authored by: anjoschu on May 28, '04 03:45:50AM
SOX wrote:
I did not know setuid worked that way.

Actually, it's the same with sudo used in the other hint. Someone mentioned in the forums that it doesn't work with open, like in

sudo -u theuser open /Applications/TheApp
and that's right. Same here. I suspect that the applications launch each other via a system call or something that resets the privileges to the logged-in user. Hasn't there recently been talk about something called LaunchServices in connection with the current URL security flaw in Panther? Maybe you could tweak those with an APE haxie or something to keep spawned processes in the Sandbox, but I'm not sure. Anyone got an idea?

SOX wrote:
In any case this means this is not secure since it can get out of it's sandbox and run arbitrary shell scripts.

Exactly the problem. I am hoping since so many people are reading this, someone will come up with an idea on how to prevent apps from escaping.



[ Reply to This | # ]