Secure Coding mailing list archives
how far we still need to go
From: ken at krvw.com (Kenneth Van Wyk)
Date: Wed, 25 Jul 2007 15:18:09 -0400
On Jul 25, 2007, at 9:36 AM, William L. Anderson wrote:
Well after a few attempts to install it on a Mac OS X system I finally dope out that it only seems to install and run as admin. That is, I not only need to install it as admin (that's OK, ordinary users can't write to the / Applications area), but I need to run it as admin.
Maddening, isn't it? I maintain that this is a software issue, insofar as how the software is bolted into its operating environment. Many disagree with that point of view, which I can accept, but I believe that to pass this off to the "ops guys" is a bad practice that borders on negligence. Even for those who disagree with me, I still would argue that it's largely under the control of the developer to be able to bolt the code into a safe operating environment -- that promotes the principle of least privilege effectively. One of my customers uses -- and hence, so do I -- VPN software and a software one-time token ("SoftToken") that requires the SoftToken.app software to have read/write access to its folder under /Applications on OS X. The presumption was that it would always be run as root. Well, I've gone out of my way to run my desktop OS X user without privs, which broke SoftToken (it would generate the same token EVERY time it was invoked). I still wouldn't accept running it as root, however, and was able to circumvent the problem by only giving my desktop user read/write to the one data file that SoftToken needed to write to. Still not as good as designing it properly in the first place, but it was an acceptable compromise for me to be able to do what I need to do. FWIW... Cheers, Ken ----- Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2454 bytes Desc: not available Url : http://krvw.com/pipermail/sc-l/attachments/20070725/5cfeec8a/attachment.bin
Current thread:
- how far we still need to go William L. Anderson (Jul 25)
- how far we still need to go Steven M. Christey (Jul 25)
- how far we still need to go Kenneth Van Wyk (Jul 25)
- how far we still need to go Blue Boar (Jul 25)
- how far we still need to go William L. Anderson (Jul 25)
- how far we still need to go Dinis Cruz (Jul 25)
- how far we still need to go ljknews (Jul 25)
- how far we still need to go McGovern, James F (HTSC, IT) (Aug 28)
- how far we still need to go ljknews (Jul 25)