On Oct 19, 2005, at 21:10, Arno S Hautala wrote:
Why could the command line tool not be run only as root? There are plenty of utilities installed with OS X that are intended to only be run as root or an administrator and the LS GUI requires authentication before configuration or stop/start. By setting the permissions of the command line utility properly the utility would only be able to be run by the root user. As you have said, it is impossible by design to secure a system against the root user, but this design relies on protection measures that should be beyond the worry of any application. The security at that level is in the trust given to administrators of a computer and the trust and knowledge of the user in running applications that request authentication. If the trust is broken by an application that requests authentication and abuses it by subverting LS or other security devices there is really nothing that can be done (as you say, see point 3).
The utility itself is not the security problem. As you say, it could be protected by the system by giving it the proper ownership and permissions so only the root user can use it.
But the utility somehow has to communicate the configuration changes to LittleSnitch (the daemon, the kernel extension, the preference pane) - and this communication channel would be the weak point (howsoever this channel might be constructed, whether by inter process communication or config file exchange).
LittleSnitchCTL in a way suffers from the same problem: To use it, you have to enable the "access for assistive devices" in the "Universal Access" preferences, which itself opens a serious security hole. But LittleSnitchCTL needs some way to communicate with LittleSnitch - as any command line utility for changing the LittleSnitch configuration would need.
Additionally, the command line tool could be an installation option, disabled by default. Finally, a preference in the GUI configuration could allow/disallow configuration by the command line.
I agree - allowing/disallowing it would definitely be necessary. But disallowing it would NOT make it safer! Where would the on/off status of the feature be stored? Usually in the users prefs - and then it would be a snap for any attacker to change this. Wherever you store the on/off status: The user must have write access to it - and so has any attacking program running with the users ID...
Of course this is not an unsolvable problem, but it demonstrates the complexity and the dangers that arise with such a simple utility.
As I've said before I can understand if a command line tool isn't at the front of the development schedule for any number of reasons (I'd like to hear those by the way :)), but the last response that it would be a security hole is somewhat baffling and I would like further comments on that.
I hope I could explain our concerns regarding such a utility. Having done so I have to point out that I, being a programmer and used to command lines, would actually like to see a command line interface to LittleSnitch.
But doing it really right and really secure is "quite a bit" of work. I can say for sure that most LittleSnitch users never have used Terminal.app and most likely never will. And as a company we have to focus on what most users need instead of on what we would love to tinker with.
Yours Karl Schwarzott -- Objective Development Software GmbH http://www.obdev.at _______________________________________________ Littlesnitch-talk mailing list Littlesnitch-talk@obdev.at http://at.obdev.at/mailman/listinfo/littlesnitch-talk
