[launchd-dev] Binding an individual user's agent to a
privileged port
Quinn
eskimo1 at apple.com
Mon Jan 28 03:30:07 PST 2008
At 22:23 +0000 23/1/08, Hamish Allan wrote:
>Is it possible for a user agent to be bound to a privileged port?
No. Take a look at Figure 3 in TN2083.
<http://developer.apple.com/technotes/tn2005/tn2083.html#FIGLAUNCHTREE>
launchd agents are managed by the per-user launchds. Those launchds
have irrevocably dropped all privileges. Thus, there's no way for
them to be able to bind to a privileged port on your behalf.
At 22:23 +0000 23/1/08, Hamish Allan wrote:
>As far as I can tell, there are two ways of demonstrating to launchd
>that you have the authority to perform privileged operations such as
>binding to a port < 1024: putting a plist file in /Library/Launch*, or
>running launchctl sudo.
I believe you mean "/Library/LaunchDaemons" and not
"/Library/Launch*". The latter would include agents (in
"/Library/LaunchAgents"), which are restricted as I've described
above.
btw These two mechanism are fundamentally the same.
o When you put a file in "/Library/LaunchDaemons", it is consulted by
the root launchd at system startup.
o When you run launchctl using sudo, it always talks to the root launchd.
Thus, in both cases the launchd job gets loaded into the root
launchd, which is the only one capable of binding to privileged ports.
S+E
--
Quinn "The Eskimo!" <http://www.apple.com/developer/>
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
More information about the launchd-dev
mailing list