Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
[Xgrid] Sandbox & Task Permission Issues in Leopard
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xgrid] Sandbox & Task Permission Issues in Leopard

Hi everyone,

We have had a series of "permission denied" questions lately related to Xgrid's new security model in Leopard, so I wanted to provide some background.

In Leopard, for better security Xgrid now runs tasks using the new "sandbox" facility in Mac OS X 10.5 (more details below). The simple explanation is that on Leopard, tasks running as 'nobody' (ie, any task where either the submitting client or the receiving agent are NOT using Kerberos authentication) have very restricted access to the filesystem. The details are specified here:

(allow process* sysctl* mach* network*)
(allow file-read* (regex "^/(bin|dev|(private/)?(etc|tmp|var)|usr| System|Library)(/|$)"))
(allow file-read* file-write* (regex "^/(private/)?(tmp|var)(/|$)"))

The optimal solution is to instead use Kerberos authentication for everything. That way, tasks instead run using:

(allow process* sysctl* mach* file-read* file-write* network*)

I realize that this may not always be viable, but in that case you are pretty much on your own. In theory it is possible to edit (or replace) the task_nobody file so "nobody" processes have similar permissions as those in "task_somebody", e.g:

(allow file-read* file-write* (regex "^/all(/|$)"))

However, note that this makes the system more vulnerable to rogue Xgrid jobs, so if you attempt this it is imperative you have other controls in place to safeguard your cluster.

In addition, any changes you make to system-provided files like /usr/ share/sandbox/xgridagentd* may well break or be replaced by a future update. You have been warned!

Hope this helps,

-- Ernie P.
Xgrid Product Manager
Apple, Inc.

Sandbox tested.
Sometimes hackers try to hijack an application to run malicious code. Sandboxing helps ensure that applications do only what they’re intended to by restricting which files they can access, whether they can talk to the network, and whether they can be used to launch other applications. Helper applications in Leopard — including the software that enables Bonjour and the Spotlight indexer — are sandboxed to guard against attackers.

In the case of the new sandboxing facility in Leopard, mandatory access controls
restrict access to system resources as determined by a special sandboxing profi le
that is provided for each sandboxed application. This means that even processes
running as root can have extremely limited access to system resources.

...Sandboxing helps ensure that applications do only what they’re intended to do by
placing controls on applications that restrict what fi les they can access, whether they
can talk to the network, and whether they can be used to launch other applications.
In Leopard, many of the system’s helper applications that normally communicate
with the network—such as mDNSResponder (the software underlying Bonjour) and
the Kerberos KDC—are sandboxed to guard them from abuse by attackers trying to
access the system. In addition, other programs that routinely take untrusted input (for
instance, arbitrary fi les or network connections) such as Xgrid and the Quick Look and
Spotlight background daemons are sandboxed.

Sandboxing in Leopard is based on the system’s mandatory access controls mecha-
nism, which is implemented at the kernel level. Sandboxing profi les are developed
for each application that runs in a sandbox, describing precisely which resources are
accessible to the application.

ernest$ man -k sandbox ernest$ man sandbox

The sandbox facility allows applications to voluntarily restrict their
access to operating system resources. This safety mechanism is intended
to limit potential damage in the event that a vulnerability is exploited.
It is not a replacement for other operating system access controls.

New processes inherit the sandbox of their parent. Restrictions are gen-
erally enforced upon acquisition of operating system resources only. For
example, if file system writes are restricted, an application will not be
able to open(2) a file for writing. However, if the application already
has a file descriptor opened for writing, it may use that file descriptor
regardless of restrictions.

Do not post admin requests to the list. They will be ignored.
Xgrid-users mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden

Visit the Apple Store online or at retail locations.

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2011 Apple Inc. All rights reserved.