

Edit /etc/hosts without becoming root on os/x - jaroel
http://niggazpullintriggaz.blogspot.com/2011/11/how-i-managed-to-edit-etchosts-without.html

======
idspispopd
Although expected, I think his experience is a good example of the short
comings of the app store. (Whereby many useful apps require root/admin access,
something which is not allowable on the app store, e.g. imagine apps
surreptitiously adding extra entries to the hosts file along side your
legitimate entries.)

It can also be argued here that an app should never have access to your hosts
file, as this trivialises man in the middle attacks.

With the scare mongering aside, overall the prefpane is really useful and well
written and I recommend it for anyone who does frequent changes/additions to
the hosts file. (It lets you just click on/off hosts and is updated
automatically, apple really need something like this in their own system
tools.)

------
teilo
How does this author things that anyone should take him seriously with a blog
named like that? Horrible.

------
lloeki
1\. only root can write to /etc/hosts (it's root-owned, 644, with no ACLs)

2\. authopen(1) grants privileges for a particular action

If gaining a right you did not have before is not privilege escalation, I
don't know what "privilege escalation" could possibly mean. So using
authopen(1) to write to /etc/hosts qualifies as "escalation to root
privileges".

The rule states:

 _> 2.27 Apps that request escalation to root privileges [...] will be
rejected_

Therefore the app is non-conformant.

Besides, the author is extrapolating intent behind the rule to risks taken by
an application takeover:

 _> "As they stated, it does not matter that none of the code I wrote ever
runs as root, thereby neutralizing any security risk"_

An example from the top of my head: adding an entry for say, google.com and
MITM'ing stuff.

