All Packages This Package Class Hierarchy Class Search Index
java.lang.Object
|
+----app.authkit.tools.tasks.CommonTask
|
+----app.authkit.tools.tasks.AppBundleLockdownTask
| Summary |
public class AppBundleLockdownTask
extends app.authkit.tools.tasks.CommonTask
{
// Constructors 1
public AppBundleLockdownTask();
// Methods 1
public int perform(String[], Authorization);
}
AppBundleLockdownTask is a Task that locks down app-bundles. It is perform()'ed by a privileged Envoy process, launched by AppBundleLockdown.
When traversing the app-bundle, symlinks are not followed, nor are alias-files resolved. The app-bundle pathname may be a symlink, and it WILL be followed.
Everything in the app-bundle has its setuid and all write-permissions removed. All other permissions (setgid, sticky, read, and execute/search) are unchanged. In effect, the POSIX permissions of each file and directory are AND'ed with 03555 (octal).
Everything in the app-bundle has its owner changed to 'root'. The group is not changed on any file or directory.
The setuid bits are removed to eliminate the possibility of a program gaining elevated privileges simply by having its setuid bit set before changing ownership to 'root', and then becoming setuid-root as a consequence of the ownership change.
The setgid bit is not changed. This poses no added security risk, because the group is not changed. So even if a Trojan-horse file with setgid set was present, there would be no unexpected setgid consequences since there is no change.
The commands executed by this Task are platform-specific to Mac OS X. Other Unix-like platforms will have similar commands, but their location and options may differ. I have no idea if Windows has similar commands, nor what they might be.
The shell-equivalents of the commands executed are:
/usr/bin/find -Pdx $ARG -name '.*DS_Store' -type f -exec /bin/rm '{}' ';'
/bin/chmod -RP u-s,a-w $ARG
/usr/sbin/chown -RP root $ARG
Each $ARG is replaced by the pathname of the target app-bundle.
The 'find' primary "-delete" isn't used because it's only available on 10.2+.
Absolute command pathnames are used to preclude PATH spoofing.
| Constructors |
· AppBundleLockdownTask | Summary | Top |
public AppBundleLockdownTask()
Default constructor
| Methods |
· perform | Summary | Top |
public int perform(String[] args,
Authorization auth)
Perform the actions embodied in this Task, returning a completion-code, which an Envoy then returns to its master.
A value of zero means "success". Non-zero values mean some kind of failure. If this method throws any exceptions, that is also considered a failure.
This method enforces the underlying Authorization policy rules by calling authorize() before anything is done. The Privilege is a root-execute Privilege created by makeExecPrivilege(), without a command-name. We could authorize() each command before exec()'ing it, but that seems a little too much.
If this Task was doing something that should have its own named Privilege, then we'd use that application-specific named Privilege. Since there isn't a specific Privilege, other than the general root-exec one, that's what we authorize().
The authorize() call is not permitted user-interaction, because this code should not be running interactively. Either we already have the Privilege granted, or it's implied by the effective-uid of root, but we do not allow user authentication now. If it fails, it fails, and the Envoy will terminate appropriately.
This use of authorize() is the typical approach to guarding a restricted section of code. Do not omit it just because you think it's safe to assume it's running as root. Good security means not making assumptions.
- Implements:
- perform in interface Task
All Packages This Package Class Hierarchy Class Search IndexFreshly brewed Java API Documentation automatically generated with polardoc Version 1.0.7