[launchd-dev] Stopping and uninstalling a LaunchDaemon job
Shawn Erickson
shawnce at gmail.com
Wed Aug 27 09:11:13 PDT 2008
On Wed, Aug 27, 2008 at 8:36 AM, Quinn <eskimo1 at apple.com> wrote:
> At 8:24 -0700 27/8/08, Shawn Erickson wrote:
>>Sorry the guy that has been playing around with this isn't in just yet
>>so I don't know the exact specifics but... It is my understanding he
>>is using authorization services to run a script and that script is
>>removing files, etc. just fine but launchctl running from under that
>>script cannot see the top level launchctl instance to remove the
>>launch daemon job. I believe he used id in the script as it logged the
>>current user.
>
> OK, this sounds like one of the standard gotchas with
> AuthorizationExecutionWithPrivileges; it runs the resulting program
> with EUID == 0 but RUID inherited from the process that called AEWP
> <rdar://problem/4098710>, and launchctl is getting confused by the
> RUID.
Ah that likely explains what he saw. Thanks
> If you were writing real code I would recommend:
>
> 1. don't use a script, use a C-based tool
>
> 2. in that tool call setuid(0) to force the RUID to 0
>
> However, given that you're just putting in a temporary hack then I'll
> recommend the following trick:
>
> $ chroot -u 0 / launchctl <args>
>
> which converts an EUID == 0 / RUID != 0 context into a EUID == RUID
> == 0. Sneaky huh?
Interesting. Thanks again.
> IMPORTANT: Please don't leave these hacks in your production code.
> In my experience "temporary + work == permanent".
Yup they have a way of doing that luckily this component is throw
away, at least in this form.
-Shawn
More information about the launchd-dev
mailing list