Secure Coding mailing list archives

how far we still need to go

From: ken at krvw.com (Kenneth Van Wyk)
Date: Wed, 25 Jul 2007 15:18:09 -0400


On Jul 25, 2007, at 9:36 AM, William L. Anderson wrote:

Well after a few attempts to install it on a Mac OS X system I  
finally dope out
that it only seems to install and run as admin. That is, I not only  
need to
install it as admin (that's OK, ordinary users can't write to the / 
Applications
area), but I need to run it as admin.


Maddening, isn't it?  I maintain that this is a software issue,  
insofar as how the software is bolted into its operating  
environment.  Many disagree with that point of view, which I can  
accept, but I believe that to pass this off to the "ops guys" is a  
bad practice that borders on negligence.  Even for those who disagree  
with me, I still would argue that it's largely under the control of  
the developer to be able to bolt the code into a safe operating  
environment -- that promotes the principle of least privilege  
effectively.

One of my customers uses -- and hence, so do I -- VPN software and a  
software one-time token ("SoftToken") that requires the SoftToken.app  
software to have read/write access to its folder under /Applications  
on OS X.  The presumption was that it would always be run as root.   
Well, I've gone out of my way to run my desktop OS X user without  
privs, which broke SoftToken (it would generate the same token EVERY  
time it was invoked).  I still wouldn't accept running it as root,  
however, and was able to circumvent the problem by only giving my  
desktop user read/write to the one data file that SoftToken needed to  
write to.  Still not as good as designing it properly in the first  
place, but it was an acceptable compromise for me to be able to do  
what I need to do.  FWIW...

Cheers,

Ken
-----
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com




-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2454 bytes
Desc: not available
Url : http://krvw.com/pipermail/sc-l/attachments/20070725/5cfeec8a/attachment.bin

Current thread:

how far we still need to go William L. Anderson (Jul 25)
- how far we still need to go Steven M. Christey (Jul 25)
- how far we still need to go Kenneth Van Wyk (Jul 25)
- how far we still need to go Blue Boar (Jul 25)
  - how far we still need to go William L. Anderson (Jul 25)
- how far we still need to go Dinis Cruz (Jul 25)
  - how far we still need to go ljknews (Jul 25)
    - how far we still need to go McGovern, James F (HTSC, IT) (Aug 28)