-
Notifications
You must be signed in to change notification settings - Fork 287
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(macOS): Tauri V2 Update Permission Denied Error #2067
base: v2
Are you sure you want to change the base?
Conversation
@tweidinger In response to your previous comment on the V1 version of this. I understand the concerns about TOCTU attacks, but I believe the current implementation has several security mitigations that make it reasonably safe:
The current approach solves real-world issues with updates on macOS while maintaining a reasonable security posture. The attack surface requires an attacker to already have user-level access and the ability to time their attack precisely during the update process. |
Hey @jLynx thanks for the v2 port and your comprehensive summary ❤️ While I disagree with that the "Limited Attack Window" (as this is a completely normal TOCTU scenario where timing is part of the attack) and the "Existing Validations" in any way fully prevent the elevation attack from a non privileged process running as the same user with the proposed changes, I see the real world use case and agree that there are more than enough easier ways to get privilege escalation from an unprivileged process. I am going to add documentation to the threat model of the updater in a subsequent PR to explain the TOCTU risk and scenarios a bit more and see this as motivation to re-design the updater plugin where validation is possible at download, extraction, move and rollback without breaking non-admin/admin installs and the installer binaries. Otherwise as discussed with @lucasfernog I would approve this PR from a security perspective and after he tests it locally and also approves the code changes we would merge this. Would require a change file as well to be able to be merged as this changes behavior on MacOS (in a non breaking way). |
Package Changes Through 2fb4f54No changes. Add a change file through the GitHub UI by following this link. Read about change files or the docs at github.com/jbolda/covector |
Description
Improves the macOS app update process by adding proper handling for permission-denied scenarios and implementing a more robust extraction mechanism.
This is the Tauri V2 version of my previous PR tauri-apps/tauri#10427
Changes
Why
The current implementation could fail on macOS when the app lacks sufficient permissions to modify its own directory, which is common in certain installation locations. This update provides a more reliable solution by:
Testing