On Friday, October 21, 2005, at 06:02AM, LittleSnitch Support <[EMAIL PROTECTED]> wrote:
>On Oct 19, 2005, at 21:10, Arno S Hautala wrote: > >> Why could the command line tool not be run only as root? > >The utility itself is not the security problem. > >But the utility somehow has to communicate the configuration changes >to LittleSnitch (the daemon, the kernel extension, the preference >pane) - and this communication channel would be the weak point >(howsoever this channel might be constructed, whether by inter >process communication or config file exchange). Ok, here I get to be fancy :) I've been thinking about this very issue. My conclusion was to allow the command line utility to adjust the rule list and also write out the new hash. The utility could then send a command to the KEXT or daemon indicating that the rules have changed and need to be updated. By providing only a communication means to say "update from the rule list" I think it eliminates most of the problem. The only vulnerability is the config file, which should be owned and writeable only by root. Let me know if I've missed something. >> Additionally, the command line tool could be an installation >> option, disabled by default. Finally, a preference in the GUI >> configuration could allow/disallow configuration by the command line. > >I agree - allowing/disallowing it would definitely be necessary. But >disallowing it would NOT make it safer! Where would the on/off status >of the feature be stored? Usually in the users prefs - and then it >would be a snap for any attacker to change this. Wherever you store >the on/off status: The user must have write access to it - and so has >any attacking program running with the users ID... But the command line tool would still need to be run as root. I guess the on/off is simply peace of mind for the user. The on/off could also install/remove the tool as necessary. In the end I think it still comes down to finding a way such that root is the only security hole. That's not too hard right? ;) >I hope I could explain our concerns regarding such a utility. Having >done so I have to point out that I, being a programmer and used to >command lines, would actually like to see a command line interface to >LittleSnitch. :-D >But doing it really right and really secure is "quite a bit" of work. >I can say for sure that most LittleSnitch users never have used >Terminal.app and most likely never will. And as a company we have to >focus on what most users need instead of on what we would love to >tinker with. Well, I still hope to see this in the future. Hopefully with Tiger's frozen APIs you won't have to worry about incompatibilities as much and might have time for this in the future. It has my vote anyway. Thanks for your responses, I look forward to seeing what's in store for LS. -- -- arno s hautala /-\ [EMAIL PROTECTED] -- -- _______________________________________________ Littlesnitch-talk mailing list Littlesnitch-talk@obdev.at http://at.obdev.at/mailman/listinfo/littlesnitch-talk
