[launchd-dev] Binding an individual user's agent to a privileged port

Quinn eskimo1 at apple.com
Mon Jan 28 03:30:07 PST 2008

At 22:23 +0000 23/1/08, Hamish Allan wrote:
>Is it possible for a user agent to be bound to a privileged port?

No.  Take a look at Figure 3 in TN2083.


launchd agents are managed by the per-user launchds.  Those launchds 
have irrevocably dropped all privileges.  Thus, there's no way for 
them to be able to bind to a privileged port on your behalf.

At 22:23 +0000 23/1/08, Hamish Allan wrote:
>As far as I can tell, there are two ways of demonstrating to launchd
>that you have the authority to perform privileged operations such as
>binding to a port < 1024: putting a plist file in /Library/Launch*, or
>running launchctl sudo.

I believe you mean "/Library/LaunchDaemons" and not 
"/Library/Launch*".  The latter would include agents (in 
"/Library/LaunchAgents"), which are restricted as I've described 

btw These two mechanism are fundamentally the same.

o When you put a file in "/Library/LaunchDaemons", it is consulted by 
the root launchd at system startup.

o When you run launchctl using sudo, it always talks to the root launchd.

Thus, in both cases the launchd job gets loaded into the root 
launchd, which is the only one capable of binding to privileged ports.

Quinn "The Eskimo!"                    <http://www.apple.com/developer/>
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

More information about the launchd-dev mailing list