Gatekeeper Frequently Asked Questions (FAQ) List

18-Aug-93

Chris Johnson




Q: I'm upgrading to a new version of Gatekeeper, and I've tried to throw 
   away my old Gatekeeper Prefs file so that Gatekeeper will create a new 
   one with all latest privileges in it. Unfortunately, it's not working;
   the Finder says it can't empty the Trash because the Prefs file is in
   use. What's going wrong?
   
A: Nothing, really. The Gatekeeper Prefs file is still being used by the 
   old version of Gatekeeper currently operating inside your Mac. This 
   needn't be a problem, however. Just the put that old prefs file in the 
   Trash and leave it there. Don't bother trying to empty the Trash. Now 
   proceed with the installation of the new Gatekeeper and restart the
   Mac when you're finished. Once the Mac has been restarted you'll have
   no trouble emptying the Trash.



Q: Some program whose name begins with a period (.) is performing 
   operations which Gatekeeper keeps vetoing. I searched my hard disk for 
   a file with that name, but couldn't find one. What gives?
   
A: Names beginning with a period, like ".ipp", are names of *drivers*, 
   rather than files. Since drivers typically live *inside* files (like 
   the System file), you won't find a file on your disk with its name. 
   Nonetheless, drivers can be granted privileges, so the problem of those
   vetoes can be solved. It'll be easiest to grant those privileges from 
   the Log File display in the Gatekeeper Controls control panel. See the
   "Gatekeeper Introduction" document for details on how to grant 
   privileges from the Log File display.



Q: Can Gatekeeper and Disinfectant be used together? If so, does that
   include the Disinfectant INIT, too?

A: Yes and yes. Sure, using both Gatekeeper *and* Disinfectant INIT
   is redundant in a number of respects, but if the products get along 
   together (and they do) what's wrong with redundant protection?
   Personally, I recommend it.



Q: Will Gatekeeper work on the much anticipated Power PC machines?

A: It should. Gatekeeper 1.2.7 has been tested on a Power PC machine 
   without incident. Unless Gatekeeper or the Power PC machines have 
   changed adversely since that test was performed, there's every 
   reason to believe they'll work together just fine.



Q: When a privilege violation occurs, I'd really like Gatekeeper to
   bring up an alert asking me whether or not the offending operation 
   should be vetoed. Sort of a "Notify & Ask" mode, if you see what I 
   mean. I can't be the only person to have suggested this; how come
   there's no such feature?
   
A: There's two reasons. The first is that I think such a mode is only
   useful and safe for the most sophisticated of users. In such a mode,
   the anti-virus protection you receive is only as good as the answers
   you provide to the anti-virus system's questions. If you happen to 
   give bad answers, bad things happen. Gatekeeper was designed around
   that idea that people shouldn't have to know anything about viruses
   in order to be protected from them; the anti-virus system should 
   have a built-in database that already knows the answers. That's what
   Gatekeeper's privilege list is all about. Sure, it's not perfect,
   but it works really well even so.
   
   Nonetheless, I readily concede that a Notify & Ask mode would have
   its uses, and I'd have implemented it (and more) by now if it weren't 
   for two things: (a) Gatekeeper often operates at times when software 
   is not allowed to do *anything* that might cause memory to be moved 
   or purged, and (b) even the simplest of QuickDraw calls (like LineTo) 
   reserves the right to move or purge memory. So if Gatekeeper were 
   to attempt to draw even the most rudimentary of alerts at the wrong
   time a very ugly crash would occur.
   
   Obviously, SAM knows how to bring up alerts safely at apparently
   arbitrary times. Less obviously, the Mac OS does, too. Unfortun-
   ately, I don't think the nice folks at Symantec are gonna tell me 
   how they did it, :-) and the folks at Apple just don't seem to know 
   how the Mac OS pulls it off anymore. (OK, *someone* at Apple *must* 
   know....)
   
   Anyway, I have my own ideas about safe ways to bring up alerts, etc.
   at arbitrary times, but there's still a terrific amount of code to
   be written, so everyone will have to continue to be patient (unless
   someone out there knows the real trick to this).
   
   
   
Q: I keep seeing messages from Gatekeeper saying that "System" is
   violating the Res(Other) privilege while making a "RsrcMapEntry"
   call. What gives?
   
A: You're probably using either AutoDoubler, or some product which uses 
   its internal compressor. See the question regarding Nisus elsewhere 
   in this FAQ for details. If you're *sure* AutoDoubler isn't involved 
   in any way, send me a problem report.



Q: Whenever I run Nisus I see messages from Gatekeeper saying that the
   program "System" is violating the Res(Other) privilege while making a
   call apparently called "RsrcMapEntry". What's going on here?
   
A: Recent versions of Nisus appear to use the AutoDoubler Internal 
   Compressor (AIC). As such, there's not much I can do to offer a good 
   solution to the problem. One less-than-wonderful solution is to grant
   the Res(Other) privilege to the System. While this will eliminate the 
   annoying alerts from Gatekeeper, it will also open-up a security hole 
   which just might be a problem someday.
   
   Of course, I could discontinue protection of the RsrcMapEntry call
   altogether (it's already been watered-down over time for reasons like 
   this), but that would open-up an even bigger security hole.
   
   The Macintosh developer community needs to come to grips with the 
   fact that an anything-goes, I-should-be-able-to-do-whatever-I-want 
   approach to software design precludes useful attempts to provide
   security to the platform. And without some form of security, the
   viruses run amok, and we all lose out.



Q: Does Gatekeeper work with AutoDoubler?

A: This question is backwards, for two reasons. (1) Gatekeeper predates 
   AutoDoubler (a minor point, but worth remembering), and (2) Gatekeeper 
   provides a truly *fundamental* service to the Macintosh community as a 
   *whole*; AutoDoubler which provides neither a fundamental service, nor 
   a service which benefits the whole Macintosh community, isn't even in 
   the same league as Gatekeeper. The question should really be: "Does 
   AutoDoubler work with Gatekeeper?"



Q: Does AutoDoubler work with Gatekeeper?

A: No. Not consistently. This goes for software which relies on the 
   AutoDoubler Internal Compressor (AIC) as well. If you choose to use
   Gatekeeper and any 'Doubler product together - and some people do so
   with surprising success - I don't want to hear about any problems.



Q: Does AutoDoubler work with other anti-virus products of the suspicious-
   activity-monitor variety?
   
A: Yes. Originally, AutoDoubler conflicted with some (possibly all) of 
   them, but the anti-virus products were modified to work around Auto-
   Doubler. Unfortunately, all those anti-virus products are commercial, 
   so if you're considering buying AutoDoubler, be sure to factor in the 
   cost of buying a new anti-virus system to go along with it.



Q: Do any of the on-the-fly disk/file compression utilities work with 
   Gatekeeper?

A: Some appear to, including the StuffIt SpaceSaver product. Personally,
   though, I don't recommend using *any* on-the-fly compression product,
   no matter how competent and conscientious its developer may be. The 
   best solution for a small hard disk is a big one, not a complex piece 
   of software standing between you and your data, consuming CPU cycles,
   and adding even more failure modes to machines far too prone to 
   failure in the first place.



Q: I called the AutoDoubler folks to ask about the conflict with Gate-
   keeper. They said they're in touch with the publishers of Gatekeeper,
   that it's Gatekeeper's fault, and that the Gatekeeper developers are 
   working to fix the problem. Is this true?

A: No, not a word of it. I'm the "publisher". I'm the developer. I'm the 
   whole show. If I'd heard from the AutoDoubler folks in the last year
   (or two) I'm sure I'd know about it. If I'd come to the conclusion 
   that it was all my fault, I expect I'd be aware of that, too. If I 
   was working to fix the problem, I'm sure I'd have noticed that....



Q: Why does half this FAQ seem to be concerned with AutoDoubler?

A: Because it seems like half the Gatekeeper email I get is concerned 
   with AutoDoubler, and I don't ever want to see a message mentioning 
   it again. I know, I know... fat chance of that happening, but I can 
   hope....  :-)