On Jul 25, 2007, at 9:36 AM, William L. Anderson wrote:
Well after a few attempts to install it on a Mac OS X system I finally dope out that it only seems to install and run as admin. That is, I not only need to install it as admin (that's OK, ordinary users can't write to the / Applications
area), but I need to run it as admin.

Maddening, isn't it? I maintain that this is a software issue, insofar as how the software is bolted into its operating environment. Many disagree with that point of view, which I can accept, but I believe that to pass this off to the "ops guys" is a bad practice that borders on negligence. Even for those who disagree with me, I still would argue that it's largely under the control of the developer to be able to bolt the code into a safe operating environment -- that promotes the principle of least privilege effectively.

One of my customers uses -- and hence, so do I -- VPN software and a software one-time token ("SoftToken") that requires the SoftToken.app software to have read/write access to its folder under /Applications on OS X. The presumption was that it would always be run as root. Well, I've gone out of my way to run my desktop OS X user without privs, which broke SoftToken (it would generate the same token EVERY time it was invoked). I still wouldn't accept running it as root, however, and was able to circumvent the problem by only giving my desktop user read/write to the one data file that SoftToken needed to write to. Still not as good as designing it properly in the first place, but it was an acceptable compromise for me to be able to do what I need to do. FWIW...


Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.

Reply via email to