[launchd-dev] Appropriate LaunchDaemon filesystem locations

Thomas Clément tclementdev at gmail.com
Fri Feb 25 10:29:33 PST 2011 

Appropriate locations are listed in the man page for launchd.

Thomas

On 25 févr. 2011, at 18:26, Jeremy Reichman wrote:

> TN2083 states:
> 
>> When you install your daemon, make sure that you set the file system permissions correctly. Apple recommends that daemons be owned by root, have an owning group of wheel, and use permissions 755 (rwxr-xr-x) for executables and directories, and 644 (rw-r--r--) for files. In addition, every directory from your daemon up to the root directory must be owned by root and only writable by the owner (or owned by root and sticky). If you don't do this correctly, a non-admin user might be able to escalate their privileges by modifying your daemon (or shuffling it aside).
> 
> The technote isn't specific about which existing filesystem locations are appropriate for storing launchdaemons' executables.
> 
> Does "writable by owner" mean both the individual owner and group owner? I interpret the recommendation above to mean the individual owner and not the group owner, but that may not be what is intended.
> 
> What standard locations are considered appropriate for launchdaemons?
> 
> Files in application bundles in /Applications probably won't meet the recommendations above, because /Applications is owned by root:admin and writable by both as a default. Applications are often installed by drag and drop, and so individual apps won't even have the stricter ownership that the parent /Applications folder will have.
> 
> Subfolders in /Library/Application Support in the local domain are also unable to meet these recommendations. The /Library folder is owned and writable by admin, even though it is also owned by root and sticky. /Library/Applications Support is itself owned by root and admin, and is again writable by both.
> 
> As long as I'm asking, is there any functional or security difference between a launchdaemon plist with 755 or 644 permissions. I almost exclusively see them with 644 permissions (and root:wheel ownership) but occasionally come across one that is 755.
> 
> Thanks!
> 
> --
> Jeremy
> _______________________________________________
> launchd-dev mailing list
> launchd-dev at lists.macosforge.org
> http://lists.macosforge.org/mailman/listinfo.cgi/launchd-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/launchd-dev/attachments/20110225/3026b36f/attachment.html>

More information about the launchd-dev mailing list