[launchd-dev] UserName ignored on per-user LaunchAgents

Jeremy Reichman jaharmi at jaharmi.com
Tue Dec 4 19:39:46 PST 2007

This may be something of a "duh" but I'm curious if it is intentional and
immutable that per-user LaunchAgents, such as those a sys admin might want
to stuff into /Library/LaunchAgents, ignore the "UserName" key.

In launchd.plist's man page:

"UserName <string>
This optional key specifies the user to run the job as. The default is the
user who submitted the job to launchd."

When that key is specified in a LaunchAgent, even one in
/Library/LaunchAgents, I've found that the key is ignored, a message to that
effect is written to the system.log, and the job runs as the user that is
logging in.

Why do I want to specify it? Well, launchd tasks have certain advantages
over LoginHook (and LogoutHook). If I could replace LoginHook scripts --
which, let's face it, are limited in that they have to be called by a single
script parent script (similar to `/usr/sbin/periodic`) -- with launchd
tasks, I'd much prefer to do so. For one thing, there's no modification of
the loginwindow plist -- and the use of individual launchd jobs would make
it much easier to run multiple tasks.

The most obvious way to accomplish that is with a LaunchAgent, but
Login|LogoutHook run as root. Hence the problem. If your LoginHook-type
tasks need root access for whatever reason, then the obvious launchd way to
set that up is with the UserName key in your job plist. But it doesn't work.

I can see the wisdom of ignoring the key, but if a sys admin has placed a
job in /Library/LaunchAgents, and that directory is installed with the
system using restrictive permissions, and the job is owned by root, there
would seem to be several adequate safeguards in place to make malicious use
difficult. (Application Launch Restrictions are already depending on the
filesystem location and permissions, at least in managed environments, so it
would seem that launchd could do so as well.) I would be supportive of other
reasonable safeguards besides these, too, including script signing and more.

Besides asking whether ignoring the UserName key is meant to be this way and
could be changed in the future if enhancement requests were filed, is there
another way to replace the hooks with launchd?



More information about the launchd-dev mailing list