Alright, can someone explain taskgated, security, etc? So I understand the basic concept here: While unix/posix identifies a process by its process ID, mach uses a message port called the task port. In the past, if you had the same user ID as another process, you could get the mach port for that process via task_for_pid.
Alright so far. Now, in 10.4, this was changed -- process monitoring software (only) could access this. And in 10.5, this was changed again: taskgated was created to determine who/what could access things. And, if I understand the manual page for taskgated, a given piece of software needs both "safe" and "allowed" access rights, and must be signed. Checking the default access plist, I see that the tiger (10.4) convention is kept, and that "safe" programs do not have to pass access checks but must be both "safe" and "allowed". Am I on the right track so far? Ok, then here are the questions that I cannot figure out: 1. How do you mark software as safe? 2. How do you mark software as allowed? 3. How do you sign software? 4. Looking over "security", and the associated man pages at certtool and systemkeychain, well, I'm more confused than anything. Between "security" and "certtool", which is used for what? Is systemkeychain only used for letting one keychain unlock others? What is the typical use of that? 5. Are the keys used by these programs the same as PGP/GPG keys? 6. "security" lets me specify internet passwords. And it lets me specify a protocol (such as "ftp " or "http"). How do I specify "https"? That's 5 letters. And the biggies: 7. What is the security hole that caused the change in access policies, that results in the need for taskgated in the first place? What are the ramifications of letting another program access these? Why should I not want one of my programs to get the mach port of another program? 8. Is this why cron complains every time it tries to run something? Aug 7 11:35:00 Kleiman-ibook com.apple.launchd[1] (0x10d1c0.cron[3824]): Could not setup Mach task special port 9: (os/kern) no access Michael --- PGP/GPG accepted; key 25D85CE0 Political and economic blog of a strict constitutionalist http://StrictConstitution.BlogSpot.com _______________________________________________ MacOSX-admin mailing list [email protected] http://www.omnigroup.com/mailman/listinfo/macosx-admin
