FinkCommander Security

The following is an explanation of how FinkCommander handles user security issues. It presumes a basic familiarity with Unix file permissions.

Thanks to Cocoa developer Dave Love, FinkCommander has since version 0.4.0 used Apple's Security Framework to authorize commands requiring root privileges. An application needs root privileges in order to modify files and directories, such as those in your Fink installation, that are owned by root.

To obtain root privileges, earlier versions of FinkCommander asked for a user's password in a custom dialog sheet and then passed it along to the sudo command. The current version, consistent with Apple's recommendations, calls on OS X's security server to obtain authorization and never touches the user's password.

In order to use the security server in the manner recommended by Apple, the FinkCommander application bundle must include an auxiliary program, or "tool." The tool is owned by root and possesses a special file permission called "setuid."

Unix processes ordinarily acquire the identity, and therefore the file permissions, of the user who starts the process. A process started by a program with setuid permission, on the other hand, is able to assume the identity of the owner of the program's file. Thus, a program that is owned by root and has setuid permission can modify files owned by root, provided the user supplies an administrative password.

The sudo program mentioned earlier is a familiar example of a setuid tool. If at the command line you type ls -l /usr/bin/sudo, you will see the following result:

---s--x--x 1 root wheel 96384 Sep 18 21:23 /usr/bin/sudo

The "s" appearing where one would ordinarily expect to see an "x" shows that sudo has setuid permission.

When you first install or compile FinkCommander, the tool does not have setuid permission and is not owned by root. The tool therefore re-executes itself using a special authorization function from the Security Framework and makes itself setuid root.

In addition to changing its own permissions, the tool changes the owner of its enclosing directory to root. This is necessary to prevent someone without administrative privileges from replacing the tool. A replacement tool could use the root privileges obtained when you enter your password to do damage to your system or invade your privacy.


Hosted by SourceForge.net

Page last modified: 2009-11-07 Valid XHTML 1.0 | Valid CSS