Appropriate LaunchDaemon filesystem locations
TN2083 states:
When you install your daemon, make sure that you set the file system permissions correctly. Apple recommends that daemons be owned by root, have an owning group of wheel, and use permissions 755 (rwxr-xr-x) for executables and directories, and 644 (rw-r--r--) for files. In addition, every directory from your daemon up to the root directory must be owned by root and only writable by the owner (or owned by root and sticky). If you don't do this correctly, a non-admin user might be able to escalate their privileges by modifying your daemon (or shuffling it aside).
The technote isn't specific about which existing filesystem locations are appropriate for storing launchdaemons' executables. Does "writable by owner" mean both the individual owner and group owner? I interpret the recommendation above to mean the individual owner and not the group owner, but that may not be what is intended. What standard locations are considered appropriate for launchdaemons? Files in application bundles in /Applications probably won't meet the recommendations above, because /Applications is owned by root:admin and writable by both as a default. Applications are often installed by drag and drop, and so individual apps won't even have the stricter ownership that the parent /Applications folder will have. Subfolders in /Library/Application Support in the local domain are also unable to meet these recommendations. The /Library folder is owned and writable by admin, even though it is also owned by root and sticky. /Library/Applications Support is itself owned by root and admin, and is again writable by both. As long as I'm asking, is there any functional or security difference between a launchdaemon plist with 755 or 644 permissions. I almost exclusively see them with 644 permissions (and root:wheel ownership) but occasionally come across one that is 755. Thanks! -- Jeremy
Appropriate locations are listed in the man page for launchd. Thomas On 25 févr. 2011, at 18:26, Jeremy Reichman wrote:
TN2083 states:
When you install your daemon, make sure that you set the file system permissions correctly. Apple recommends that daemons be owned by root, have an owning group of wheel, and use permissions 755 (rwxr-xr-x) for executables and directories, and 644 (rw-r--r--) for files. In addition, every directory from your daemon up to the root directory must be owned by root and only writable by the owner (or owned by root and sticky). If you don't do this correctly, a non-admin user might be able to escalate their privileges by modifying your daemon (or shuffling it aside).
The technote isn't specific about which existing filesystem locations are appropriate for storing launchdaemons' executables.
Does "writable by owner" mean both the individual owner and group owner? I interpret the recommendation above to mean the individual owner and not the group owner, but that may not be what is intended.
What standard locations are considered appropriate for launchdaemons?
Files in application bundles in /Applications probably won't meet the recommendations above, because /Applications is owned by root:admin and writable by both as a default. Applications are often installed by drag and drop, and so individual apps won't even have the stricter ownership that the parent /Applications folder will have.
Subfolders in /Library/Application Support in the local domain are also unable to meet these recommendations. The /Library folder is owned and writable by admin, even though it is also owned by root and sticky. /Library/Applications Support is itself owned by root and admin, and is again writable by both.
As long as I'm asking, is there any functional or security difference between a launchdaemon plist with 755 or 644 permissions. I almost exclusively see them with 644 permissions (and root:wheel ownership) but occasionally come across one that is 755.
Thanks!
-- Jeremy _______________________________________________ launchd-dev mailing list launchd-dev@lists.macosforge.org http://lists.macosforge.org/mailman/listinfo.cgi/launchd-dev
On 25 Feb 2011, at 17:26, Jeremy Reichman wrote:
What standard locations are considered appropriate for launchdaemons?
There's a tricky trade-off between correctness and user visibility here. Probably the most correct option is to put your daemon in a sub-directory of /usr/local. The problem with that location is that it's not visible to the user (in the Finder), something many folks, including myself, object to. Recently we've started putting stuff in /Library/PrivilegedHelperTools, but the focus of that directory is in the name; it's about helper tools for privilege separation, and is probably not the best choice for general daemons. *shrug* On 25 Feb 2011, at 17:26, Jeremy Reichman wrote:
As long as I'm asking, is there any functional or security difference between a launchdaemon plist with 755 or 644 permissions. I almost exclusively see them with 644 permissions (and root:wheel ownership) but occasionally come across one that is 755.
644 is correct. 755 is a mistake, but a relatively benign one. On 25 Feb 2011, at 18:29, Thomas Clément wrote:
Appropriate locations are listed in the man page for launchd.
<x-man-page://8/launchd> only covers places where you should put launchd property list files, not the code itself. A better man page is <x-man-page://7/hier>. S+E -- Quinn "The Eskimo!" <http://www.apple.com/developer/> Apple Developer Relations, Developer Technical Support, Core OS/Hardware
participants (3)
-
Jeremy Reichman
-
Quinn "The Eskimo!"
-
Thomas Clément