Skip to content. | Skip to navigation

Personal tools
Log in Register
Sections
You are here: Home Articles Newsletters Leopard's Quick Look and Sandboxing, But Wait!, a Small Bug, Beta LoginWindow MultiScript

Leopard's Quick Look and Sandboxing, But Wait!, a Small Bug, Beta LoginWindow MultiScript

Folks,

Application Sandboxing

One of the things that I can now talk about (and I'm very excited about it!) is application sandboxing.

How of you remember the Nimda worm from 2001? This was a rather nasty worm that spread via (among other vectors) Outlook e-mail clients on Windows. The victim didn't even have to double-click on an attachment; all the victim had to do was *look* at the e-mail in Outlook, and the attachment (an executable file disguised as a WAV) would be run automatically.

Quick Look on Leopard would appear to have the potential for a similar vulnerability, especially since any application developer can provide a Quick Look plug-in to preview the contents of a file. Even assuming the best of intentions (which we can't since malware writers will gleefully take advantage of any hole that they find), some overworked, underpaid programmer somewhere is going to make a mistake and leave an opening where a malformed document of some type can be used to trigger the vulnerability and allow the execution of arbitrary code. If that happens, then a worm could spread by sending out a file that would be looked at using the Quick Look in the Finder (which is used for document previews in column view or cover flow as well as larger previews), The mere act of opening the folder that contains the file could cause the worm to spread.

Well, I'm sure that this occurred to the engineers at Apple, and they came up with a way of preventing Quick Look from becoming a hazard. The Quick Look server daemon runs in a sandbox, which prevents it from making outbound network connections (except to unix sockets) or accepting inbound network connections, running any kind of debug mode tools. This is controlled by a configuration file in /usr/share/sandbox. There are a number of additional files that contain the sandbox configurations for a dozen additional processes; it's pretty interesting to look into the files and see what kinds of protections are important. I'm not sure that this is sufficient to make quicklookd truly safe, or whether the restrictions can or should be tightened down further. I'll be experimenting with this in the near future.

BUT WAIT!!!!!

I'm sure this is not a problem for anyone on this list, but don't move over to Leopard just yet! I am still setting up testbeds to see what happens under different combinations of circumstances. I'm sure you are as well. Some of the situations that I'm looking at are:

  1. How do network home directories work when using both Tiger and Leopard clients to access the same account? Do Leopard clients make changes to the directory structure or preferences files that cause problems for Tiger clients? Do Tiger clients corrupt or lose preferences that Leopard clients set?
  2. I how do portable homes based on a Tiger server interact with a Leopard client?
  3. Do some of the file formats change — e.g., once you went forward to Mail.app on Tiger, it was no longer possible to use Mail.app on Panther to access the same accounts? I have particular concerns over iCal in this respect.

One particular concern is administering 10.4 servers. Apple has announced that you can administer servers with the Leopard tools if they have been upgraded to 10.4.11. Even then, I may need to hold on to the 10.4 Server Admin tools for some clients. I have a report from another Apple consultant that if you use Pacifist, you can extract the applications themselves (not the parts in /System/Library) and administer Tiger servers.

Another important reason to wait is that developers have not had a chance to test their packages against the GM version of Leopard — we didn't get it until last Friday, just like the rest of the public. I have my own remarks about that, but they're not reproducible here as they are quite unprofessional. Although the initial fixes may only take a short time, testing, debugging, and documentation will take a lot longer even for a small application. I'd say it will take until early December before we get a critical mass of applications straightened out on Leopard. (FYI, Baby Banger downloaded from my website, a four year old PPC-only build, still works perfectly! :-)

A Small Bug

If you want to look at file system ACLs from the command line, don't include a trailing slash on a directory name. For some reason, the /bin/ls tool has a bug where if you execute the command

ls -lae /Path/to/directory/

it does not print out the ACLs associated with each file or folder. Using

ls -lae /Path/to/directory

(without the trailing slash) gives the expected result.

LoginWindow MultiScript Manager

I am releasing a neat little script engine and AppleScript Studio application that lets you run and manage multiple LoginHook and LogoutHook scripts. I'm calling it a 0.9b beta release — it's a bit rough around the edges, but it works and it doesn't have any known bugs. Get it from <http://ps-enable.com/software/LoginHookMultiScriptManager0.9b.dmg/view>.


--Paul

Document Actions
Add comment

You can add a comment by filling out the form below. Plain text formatting.

(Required)
Please enter your name.
(Required)
(Required)