[launchd-dev] Securing Launch Agents

[Dave Keck]

Hey list,

I've been writing some security software, part of which is a
system-wide agent (stored in /Library/LaunchAgents). I've almost got
it working to the point that I'm satisfied for a 1.0 release. That
was, until I realized two show-stopping facts. With a short trip to
the terminal, any user is able to:

1. Kill the agent
2. Unload the agent using launchctl

Well, duh, you might say. When I started out, I assumed that since the
write privileges of /Library/LaunchAgents are root:whell, the agents
loaded from that directory could only be affected by a user with
administrator credentials. Unfortunately for me, that simply ain't so.
(Granted, a non-privileged user can only temporarily disable the
agent, as it will be reloaded when they logout and back in. But for my
purposes, this is still unacceptable.)

(Also I should mention that I can't write a daemon because the
software must display a UI, and the UI itself is part of what
shouldn't be killed without admin credentials.)

To me, what I'm trying to do seems reasonable. It'd be nice if the
UserName key was respected for agents installed in the system-wide
LaunchAgents directory, so the agent would run in the GUI context of a
certain user, but would be out-of-reach (to unprivileged users) as far
as unloading or killing the process. On the other hand, I suppose
respecting the UserName key conflicts with the whole notion of
LaunchAgents running on behalf of the current user. Is my request
reasonable or am I missing something?

I'll also say that I've found a way to do what I need, but it directly
violates the 10 Commandments of Launchd Agents. I would be eternally
grateful if someone could suggest semi-rule-abiding way to secure a
LaunchAgent from being controlled without authorization.

Thanks!

David