• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Launchd scripts with root access
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Launchd scripts with root access

  • Subject: Re: Launchd scripts with root access
  • From: David Buxton <email@hidden>
  • Date: Wed, 27 Jun 2012 18:20:01 +0100
On 27 Jun 2012, at 17:45, Chris Waldrip wrote:

> On Jun 27, 2012, at 10:28 AM, Harald Wagener wrote:
>
>> LaunchAgents run in user context. Move your launchd job to
>> /Library/LaunchDaemons to get it run as root.
>
>
> I'd read and understood that /System/Library/Launch* allowed for processes to be run as root, regardless of the user context (hence why OS level processes are started from there), where /Library/Launch* would run based on the user context. But I tested your suggestion, and got my normal errors...

No. LaunchAgents run with user permissions. LaunchDaemons run with root permissions. That's why Harald said to move it to /Library/LaunchDaemons.

/System/Library/LaunchDaemons is intended for daemons provided by Apple. Third-party launch daemons (like yours) should go in /Library/LaunchDaemons.

http://developer.apple.com/library/mac/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/DesigningDaemons.html#//apple_ref/doc/uid/10000172i-SW4-SW9

> The portion of the script that is the upgrade function at the moment...
>
> #Check spupload version number, and download and install the latest update if it's newer
> 	remoteVersion=$(curl -s http://my.server.com/profiles/version.html)
> 	if [ "$spuploadVersion" -lt "$remoteVersion" ]
> 		then
> 			cd /tmp/
> 			curl -C - -O http://my.server.com/profiles/latest.zip
> 		        unzip -d latest latest.zip
>                	mv -f latest/com.spupload.plist /System/Library/LaunchAgents/
>                	chmod 644 /System/Library/LaunchAgents/com.cnn.spupload.plist
>                	mv -f latest/spupload.sh /usr/local/sbin/
>                        launchctl load /System/Library/LaunchAgents/com.cnn.spupload.plist
> 			rm -rf latest*
> 		exit
> 	fi

You are opening the system to attack by not using SSL to verify the authenticity of the updates server. Anyone on the network can intercept your request to my.server.com and send it to their own server which then gives your launch daemon a malicious payload to install as root.

David B.


 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Installer-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
References: 
 >Launchd scripts with root access (From: Chris Waldrip <email@hidden>)
 >Re: Launchd scripts with root access (From: Watchman Monitoring <email@hidden>)
 >Re: Launchd scripts with root access (From: Chris Waldrip <email@hidden>)

  • Prev by Date: Re: Launchd scripts with root access
  • Next by Date: Re: Getting Installation failure error while using Script along with custom requirements.
  • Previous by thread: Re: Launchd scripts with root access
  • Next by thread: How to use Action menu within packagemaker
  • Index(es):
    • Date
    • Thread