site_archiver@lists.apple.com Delivered-To: darwin-kernel@lists.apple.com On Jan 3, 2006, at 2:09 PM, Brian Bergstrand wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Jan 3, 2006, at 3:47 PM, Mike Smith wrote: On Jan 3, 2006, at 12:40 PM, Brian Bergstrand wrote: On Jan 3, 2006, at 8:31 AM, matt jaffa wrote: = Mike -- Terry _______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-kernel mailing list (Darwin-kernel@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-kernel/site_archiver%40lists.a... I have a NKE project that needs a user space daemon to be running to get information back from the user. I have this working and everything, and have a daemon launched for each individual user that runs the program. I have my user space daemon with these privileges, 4755, which means the setuid bit is set for my daemon executable so that it can elevate itself to perform a process id lookup. My question is what does Apple/Security feel about my application having the setuid bit set? I'm a little confused about "perform a process id lookup" though. What are you trying to do, and what specific interface (s) are you using that require privilege? I think he means that KERN_PROCARGS returns an error when you try to get info about processes running with a different uid than the calling application (unless you are root). In my case I only care about the full exec path and not the program args. You should not depend on any path information associated with a running process. However, KERN_PROC_PID can be used to get the process struct of any process from a non-root app and the kp_proc.p_comm member will give you a limited name (16 bytes and not the full path). The full path is very useful for use as an arg to LSCopyDisplayNameForURL (), but pcomm suffices as a fall back. Is there some other way for a non-root process to get the full exec path of any other process (including root owned)? No. In addition, there is no guarantee that the path is correct, that the file that is present at that path is the one being executed, that the path is acccessible or even valid for your context, or that there even was a path to begin with. Any information you get from p_comm or the KERN_PROCARGS sysctl is purely informative, and you should not depend on it in any fashion whatsoever. If you need a guaranteed association between running processes and filesystem identities you need to look at a higher level, and accept that there are processes and tasks which will fall outside the scope of the information available at that level. I know and accept all of that - for my app, the information is purely informative to the user. There are no permanent associations/ assumptions made about the path. It's that pcomm can contain a truncated name and the user (not my app) may not be able to associate the truncated name with an actual application. Most of the time, pcomm suffices so it's not a big problem. Brian Bergstrand When a process is started after a vfork or fork plus an execve, the kauth subsystem gets a callback for KAUTH_FILEOP_EXEC with the vp to kauth_scope_fileop listeners. There is a small performance penalty on a number of paths for having any listeners in this scope (this is documented in the source code for kern_authorization.c, which I suggest you understand if you are going to attempt to use this to solve your problem). This would let you associate the path (obtained via the KPI vn_getpath () on the vnode) that was used to look up with a PID (using proc_pid() on the current process). You'd then communicate this association to your daemon, for it to cache. The vn_getpath is a tricky KPI; it's final argument is both an in and an out value, so you will need to reset it to your buffer size on each call (which should be PATH_MAX from <sys/syslimits.h>). You would not get any notification via kauth when the process went away (for complex reasons having to do with the inability of some network FS's to rename open files, without non-standard extensions to their protocols), so you would need to either keep a potentially pretty big cache of the information, or occasionally poll in user space using the kill(pid, 0) existence test for processes (-1 & ENOENT=no process, -1 & EPERM=process exists, but you can't signal it, 0=process exists and you can signal it, but no signal was actually sent) to clean out the stale cache entries. As Mike pointed out though, this would only get you to the point of you knowing what the file that was there was named before the attempt to contact the network, so what file's there at the time you want to check and looks "mostly harmless" is not necessarily actually the code that's running. To answer your original question, though, the security guys generally frown on SUID/SGID anything, even if it's an ordinary user the thing impersonates. This email sent to site_archiver@lists.apple.com