-
-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(macOS): Tauri Update Permission Denied Error #10427
base: 1.x
Are you sure you want to change the base?
Conversation
Package Changes Through 691baceThere are 9 changes which include tauri with patch, tauri-codegen with patch, tauri-cli with patch, @tauri-apps/cli with patch, tauri-bundler with patch, tauri-utils with patch, tauri-build with patch, tauri-runtime with patch, tauri-runtime-wry with patch Planned Package VersionsThe following package releases are the planned based on the context of changes in this pull request.
Add another change file through the GitHub UI by following this link. Read about change files or the docs at github.com/jbolda/covector |
Hey team! |
Timelines and review times are very much flexible and depend on people/code owners/working group members available. The initial review showed some potential issues with TOCTU (Time of Check Time of Use) attacks (old reference) and I am still not sure if we are fine to accept the potential risk in this specific case. Currently we do a signature validation in memory and not write to disk to prevent such TOCTU attacks, which has its issues and one of them caused this PR. With writing to the temp folder we open up to other processes of the system and just replacing the files in temp folder would allow another unprivileged application to gain admin rights in the worst case. The solution here does use a library which limits the umask to the current user by default, so no direct risk from other users but only other processes from the same user. The elevation is only used for moving files, so no risk of direct execution. The only direct risk would be other processes are able to manipulate the Tauri app or replace it with their own binary. This can have impact depending on how your system or organization is set up and how much untrusted binaries are running on your system 😀. I'll discuss once more with @chippers and maybe @lucasfernog on what we think about this and if there are changes needed but can't give you a specific timeline. |
I appreciate the feedback & update @tweidinger |
copy_files_and_run
function for macOS to handle permission issues more gracefully.osascript
to execute shell commands with elevated privileges.is_permission_error
to identify permission-related errors.Credit to @0rvar as this code is from them