Authentication and Privileges

Under UNIX operating systems including Mac OS X, certain operations require special permission or privileges to prevent unauthorized users from disrupting or spying on other users. While well intentioned, these conventions are often inappropriate for a "personal" computer where a single user owns and administers the system. Among the operations that require such privileges are modifying an interface MTU or TCP/IP parameters.

IPNetTunerX takes the personal computer view that the user should normally be in control of their computer, so tries to minimize the disruption of asking the user to prove they are authorized to perform the requested operation.

To modify an interface MTU, IPNetTunerX includes a tiny server application named "ConfigMTU" that must run as suid root. When IPNetTunerX is first run after being copied to a new location, it checks to see if the ConfigMTU tool is present and set to suid root. The same process is repeated for "ConfigSysctl". If any of these tools are not authorized, IPNetTunerX asks you to authenticate so it can configure them to run as suid root. You might think of this as completing the installation process. From that point on, no further authentication is necessary to perform any of the restricted operations IPNetTunerX supports.

Normally allowing small programs to execute as root is not a problem unless the program seeks to compromise your system or is exploited by another program to carry out such an attack. The best defense against such exploits at this time is to only run software from reputable developers. IPNetTunerX takes advantage of Leopard Code signing to alert you of any unintended modifications to the software.

Security Administrators Note: The tools IPNetTunerX sets to be suid root are relatively safe because they do so little. Each tool performs one simple task like modifying an interface MTU or setting a sysctl parameter.


Previous | Next | Return to IPNetTunerX Help