On Sun, 10 Mar 2019 at 20:01, Oswald Buddenhagen <oswald.buddenha...@gmx.de> wrote: > > [...] > > With the Keychain access directly from mbsync, however, Keychain can > > do the access control based on the process's binary, shutting down > > this particular attack possibility. > > > it's a pity the security command does not forward that information to > the keychain - it would only need to look at its parent process or the > other end of the pipe. > > in principle it would be possible to do just that with a custom > mbsync-keychain-client tool.
Yes, I considered that initially. But if I wanted to do a proper solution, then I'd need to look at the content of the binary of the parent process, store that somewhere in a secure manner (or hardcode it in), to avoid someone just running an imposter parent. And once any parent tool is updated the tool would need updating as well, I'd have to implement a lot of what Keychain already does well. > > Let me know whether this you'd consider merging this or if it needs changes. > > i'm not exactly thrilled, but i can see the argument, and the idea > with the external tool seems slightly over-engineered. > > you entirely blew the formatting (tabs and internal spaces). Ah, right. I should be able to fix that. > at this time, it's "macOS", not "MacOS X", "OSX", or anything else. Thanks, I just read up on it. I wasn't aware of that rebranding. > i'm torn. ^^ Well, no need to decide it in 5 mins. I'll address the things you pointed out, and perhaps there are other improvements. Thanks for the quick response and feedback! OR _______________________________________________ isync-devel mailing list isync-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/isync-devel
