Identity Finder Forums : LaunchDaemon plist ownership and permissions

Identity Finder Forums : LaunchDaemon plist ownership and permissions http://www.identityfinder.com/forum/ This is an XML content feed of; Identity Finder Forums : Identity Finder for Mac : LaunchDaemon plist ownership and permissions Tue, 21 May 2013 12:00:54 +0000 Tue, 01 Mar 2011 14:51:56 +0000 http://blogs.law.harvard.edu/tech/rss Web Wiz Forums 10.14 360 www.identityfinder.com/forum/RSS_post_feed.asp?TID=113 LaunchDaemon plist ownership and permissions : Thanks, we look forward to this... http://www.identityfinder.com/forum/forum_posts.asp?TID=113&PID=251&title=launchdaemon-plist-ownership-and-permissions#251 Author: RITJeremy
Subject: 113
Posted: 01 Mar 2011 at 2:51pm

Thanks, we look forward to this change!]]> Tue, 01 Mar 2011 14:51:56 +0000 http://www.identityfinder.com/forum/forum_posts.asp?TID=113&PID=251&title=launchdaemon-plist-ownership-and-permissions#251 LaunchDaemon plist ownership and permissions : Thank you for the suggestion.... http://www.identityfinder.com/forum/forum_posts.asp?TID=113&PID=246&title=launchdaemon-plist-ownership-and-permissions#246 Author: Product Management
Subject: 113
Posted: 01 Mar 2011 at 2:47pm

Thank you for the suggestion. The launchedaemon will be set to root:wheel and 644.]]> Tue, 01 Mar 2011 14:47:47 +0000 http://www.identityfinder.com/forum/forum_posts.asp?TID=113&PID=246&title=launchdaemon-plist-ownership-and-permissions#246 LaunchDaemon plist ownership and permissions : The current (Feb 17 but listed... http://www.identityfinder.com/forum/forum_posts.asp?TID=113&PID=241&title=launchdaemon-plist-ownership-and-permissions#241 Author: RITJeremy
Subject: 113
Posted: 25 Feb 2011 at 11:57am

The current (Feb 17 but listed as Feb 15 on the Web site) postinstall installer script copies the LaunchDaemon plist and sets the ownership/permissions to root:admin and 755.

My understanding of launchd is that the plist should be set to root:wheel and 644.

Apple TN2083 states:

When you install your daemon, make sure that you set the file system permissions correctly. Apple recommends that daemons be owned by root, have an owning group of wheel, and use permissions 755 (rwxr-xr-x) for executables and directories, and 644 (rw-r--r--) for files. In addition, every directory from your daemon up to the root directory must be owned by root and only writable by the owner (or owned by root and sticky). If you don't do this correctly, a non-admin user might be able to escalate their privileges by modifying your daemon (or shuffling it aside).

Every other LaunchDaemon stored in the local domain by other vendors that I have encountered uses root:wheel and 644.

On the launchd-dev mailing list, I’ve seen responses that the plist should be fine as long as it is owned by root and only writable by root. However, I believe it would still be a good practice to change the plist to root:wheel ownership and 644 permissions in the IDF Mac Edition installer build script.

]]> Fri, 25 Feb 2011 11:57:38 +0000 http://www.identityfinder.com/forum/forum_posts.asp?TID=113&PID=241&title=launchdaemon-plist-ownership-and-permissions#241