Start

The First Launch of the Application

When you launch NFS Manager for the first time, it will automatically integrate into the security model of Mac OS X. This is necessary because the application can be used to perform critical operations in Mac OS X, for example to share and publish files of several users to the network. Only responsible system administrators which manage the computer's installation should be allowed to perform such actions.

For this reason NFS Manager contains a safeguard which communicates with the security features of Mac OS X. Under normal circumstances, NFS Manager is restricted to behave like a normal user program and does not have any extended privileges. For example it cannot use any system features which could affect more than the current user. However, certain maintenance functions require that NFS Manager is allowed to act for the whole computer and all users. In this case, the built-in safeguard of NFS Manager requests permission from Mac OS X to temporarily use a system feature which needs extended privileges. As response to this request, Mac OS X will completely “freeze” NFS Manager and open a password entry panel in which you'll have to enter a valid password for one of the system's administrators. If the password is correct, Mac OS X will allow NFS Manager to continue and to execute the requested action. If the password was wrong, NFS Manager will also continue, but will additionally receive the response that the permission was not granted and the current request is rejected. In that case, NFS Manager cannot perform the action currently selected. With this design it becomes impossible that an unauthorized person could misuse an application like NFS Manager.

This policy strictly complies with Apple's software guidelines for system utilities. Note that NFS Manager doesn't even “see” the administrator password when it is entered. All security-related interactions are directly handled and monitored by Mac OS X. So even in the unlikely case a computer virus would attack NFS Manager, trying to “eavesdrop” on your password entry in an attempt to store and steal the password, it would have no success, because only the specially protected core of Mac OS X actually receives and checks the entered password information.

The first password entry is requested by Mac OS X when you start NFS Manager for the first time. This allows the tool to form the aforementioned trust relationship and protection mechanisms. Other password requests will follow as soon as you start an operation which needs extended privileges.

Note: Mac OS X automatically ensures that the user doesn't need to enter the password too often. After a password has been entered, Mac OS X will “trust” all applications started by the same user for an interval of 5 minutes.

Restrictions on the location where the application is stored

The security policy outlined above puts some limitations on possible places where your copy of NFS Manager can be stored and can be launched from. Imagine the following scenario:

An attacker puts a copy of NFS Manager onto an external hard drive and uses his administrator password to integrate the tool into the security of his own Mac OS X installation. Then he connects the hard drive to the computer he likes to attack, with the plan to misuse some of the system functions accessible with NFS Manager. The other computer must not trust the program on the external drive because the tool has only been security-activated by an unknown administrator of an unknown Mac OS X system. The tool did not receive authorization from the adminstrator of the current system. If Mac OS X allowed to execute the tool without reauthentication on the current computer, this would be a big security hole.

For this reason, Mac OS X keeps track where NFS Manager -and all of its own utilities, like Activity Monitor for example- are launched from. Mac OS X does not allow that you run a system utility from one of the following locations:

• an external drive,
• a volume which does not fully support all Mac OS X permission features (e.g. a DOS-formatted disk, or a network file server),
• a volume for which the option Ignore ownership on this volume is set,
• a disk image,
• a home folder protected by FileVault.

You can run NFS Manager from the following volumes:

• The system volume of Mac OS X,
• another hard-drive volume which was online during startup of Mac OS X and for which the option Ignore ownership on this volume is not set.

The recommended location where to put NFS Manager is of course the Applications folder of your system disk, or a subfolder of the Applications folder.

Note: If you copy NFS Manager to another disk volume or into a folder with different ownership, the Finder will display a warning that you are about to copy an application with special permissions. The copy will have to be reauthenticated by a system administrator.

All those security features are exclusively controlled by Mac OS X. They have nothing to do with the registration or licensing of the software, but they are needed to avoid security holes in the operating system.