[launchd-dev] Book on using launchd?

Damien Sorresso dsorresso at apple.com
Mon May 4 23:54:40 PDT 2009 

On May 1, 2009, at 12:45 PM, J.B. Nicholson-Owens wrote:
> Is there a good book or article on using launchd and its future for  
> replacing other program-launching programs?  Preferably something  
> with examples to illustrate running launchd in the context of a  
> program?

No, there is no book. There are, however, man pages and the  
Daemonomicon.

http://developer.apple.com/technotes/tn2005/tn2083.html#SECDAEMONOMICON

> Specifically, I manage multiple labs of Macs all running MacOS X  
> 10.5.6 and I'd like to kick off some processes, some as root, some  
> as the user:
>
> - add a link icon to the dock so the user has one-click access to a  
> shared SMB volume.  I have been using a Python script to add this  
> dock icon but knowing when to run the Python script is tricky; on  
> some machines this works perfectly every time, on other machines  
> running MacOS X 10.5.6, the dock icon script doesn't run.  I'm  
> guessing I want to run this Python script in the dock context but  
> I'm not sure if that's correct.

Please don't do this. It's unsupported, and we have no qualms about  
breaking it. Place an icon on the Desktop or in a Dock stack instead.

> - will launchd replace login/logout scripts run as root?  I'd like  
> to clear the print queues on the machine (using CUPS' "cancel -a"  
> run as root) when the user logs out.  I'd like to do this without  
> prompting the user for admin credentials (which our users don't  
> have); print jobs left at logout time should simply be cancelled/ 
> deleted.

Logging out is a destructive operation, so we don't spawn new  
processes after loginwindow has completed its logout-related work.  
(There are two forces at work when you log out. loginwindow gets rid  
of GUI applications and then triggers a session teardown in launchd.)

A more sustainable architecture would be for you to have a system  
daemon to perform the privileged operations. You would also have a  
launchd agent running in the login session and waiting for a logout  
notification from notifyd. Upon receiving that notification, the agent  
would issue a request to the daemon to clean up the print jobs for its  
UID and exit.

> - some programs don't take preference settings via MCX (Adobe CS3's  
> Acrobat, for instance) and I'll need to set certain preferences for  
> the user every time they login via a script (turning off Adobe  
> Acrobat's Javascript, for example).

You should do this with a launchd agent that is set to be KeepAlive as  
long as it has exited unsuccessfully. This way, if your agent crashes,  
it'll be respawned until it exits successfully. See launchd.plist(5).

> I'm trying to limit running scripts as the user to functions our  
> users would like to have done for them, rather than enforcing policy  
> or attempting any security setting by running scripts as the user.   
> It's my hope that by doing this the user won't have any incentive to  
> want to disable running those scripts.


This should all be doable with judicious use of privilege separation.
-- 
Damien Sorresso
BSD Engineering
Apple Inc.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2425 bytes
Desc: not available
URL: <http://lists.macosforge.org/pipermail/launchd-dev/attachments/20090504/51711bfb/attachment.bin>

More information about the launchd-dev mailing list