Calling SecCertificateCreateFromData() from within a daemon process (launched using launchctl) fails with Error: 100001 (0x186a1)(UNIX[Operation not permitted]) for a thread impersonated logged-in user using pthread_setugid_np
Calling SecCertificateCreateFromData() from within a daemon process (launched using launchctl) fails with Error: 100001 (0x186a1)(UNIX[Operation not permitted]) for a thread impersonated logged-in user using pthread_setugid_np
- Subject: Calling SecCertificateCreateFromData() from within a daemon process (launched using launchctl) fails with Error: 100001 (0x186a1)(UNIX[Operation not permitted]) for a thread impersonated logged-in user using pthread_setugid_np
- From: Aslam <email@hidden>
- Date: Fri, 11 Mar 2011 11:45:41 -0500
Hi,
Calling SecCertificateCreateFromData() from within a daemon process (launched using launchctl) from a thread which has impersonated logged-in user using pthread_setugid_np, fails with Error: 100001 (0x186a1)(UNIX[Operation not permitted]). If this thread avoids doing the impersonation, then this call SecCertificateCreateFromData() works fine.
int nRet = pthread_setugid_np( m_uid, m_gid);
if(nRet != 0) {
printf("thread %u impersonating user %d failed: %d", pthread_self(), m_uid, errno);
return false;
}
struct passwd* pw = getpwuid(m_uid);
if(pw) {
printf("thread %u impersonating user %s", pthread_self(), pw->pw_name);
}
// creating a temporary for avoiding casting a const uint8_t* to non-const (for CSSM_DATA)
vector<uint8_t> aCertData(pCertData, pCertData + nCertDataSize + 1);
CSSM_DATA certData = {nCertDataSize, &aCertData[0]};
OSStatus nStatus = SecCertificateCreateFromData(&certData, CSSM_CERT_X_509v3, CSSM_CERT_ENCODING_DER, &m_oCert);
if (noErr != nStatus) {
printf("SecCertificateCreateFromData() failed, error: %s, throwing exception...", MAC_ERR_MSG(nStatus));
throw -1;
}
MAC documentation about “Daemons and Agents” (http://developer.apple.com/library/mac/#technotes/tn2005/tn2083.html ) does mention about some restrictions after a daemon-thread does user impersonation, but what is not clear I the root cause mentioning what Apple service(s) this call is trying to talk to and then it get the error “Operation not permitted” and this info is not there in Mac logs.
Daemons Accessing User State
It is not possible for a daemon to act on behalf of a user with 100% fidelity. While this might seem like a controversial statement, it's actually pretty easy to prove. For example, consider something as simple as accessing a preference file in the user's home directory. It's not possible for a daemon to reliably do this. If the user has an AFP home directory, or their home directory is protected by FileVault, the volume containing the home directory will only be mounted when the user is logged in. Moreover, it is not possible to mount the that volume without the user's security credentials (typically their password). So, if a daemon tries to get a user preference when the user is not logged in, it will fail.
In some cases it is helpful to impersonate the user, at least as far as the permissions checking done by the BSD subsystem of the kernel. A single-threaded daemon can do this using seteuid and setegid. These set the effective user and group ID of the process as a whole. This will cause problems if your daemon is using multiple threads to handle requests from different users. In that case you can set the effective user and group ID of a thread using pthread_setugid_np. This was introduced in Mac OS X 10.4.
So I’m trying to find the cause of failure and it is not supported then look for a workaround my problem.
Thanks
Jangul Aslam, CISSP® | Software Engineer Staff
Phone: (978) 589-0886 | Email: email@hidden
Google Voice: (209) 78A-SLAM | IM: email@hidden
Juniper Networks Inc, 10 Technology Park Dr, Westford, MA – 01886
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden