Forum Home Forum Home > Feature Requests > Identity Finder for Mac
  New Posts New Posts RSS Feed - LaunchDaemon plist ownership and permissions
  FAQ FAQ  Forum Search   Register Register  Login Login

LaunchDaemon plist ownership and permissions

 Post Reply Post Reply
Author
Message
RITJeremy View Drop Down
Groupie
Groupie


Joined: 21 Dec 2010
Location: Rochester, NY
Status: Offline
Points: 34
Post Options Post Options   Thanks (0) Thanks(0)   Quote RITJeremy Quote  Post ReplyReply Direct Link To This Post Topic: LaunchDaemon plist ownership and permissions
    Posted: 25 Feb 2011 at 11:57am
The current (Feb 17 but listed as Feb 15 on the Web site) postinstall installer script copies the LaunchDaemon plist and sets the ownership/permissions to root:admin and 755.

My understanding of launchd is that the plist should be set to root:wheel and 644.

Apple TN2083 states:

When you install your daemon, make sure that you set the file system permissions correctly. Apple recommends that daemons be owned by root, have an owning group of wheel, and use permissions 755 (rwxr-xr-x) for executables and directories, and 644 (rw-r--r--) for files. In addition, every directory from your daemon up to the root directory must be owned by root and only writable by the owner (or owned by root and sticky). If you don't do this correctly, a non-admin user might be able to escalate their privileges by modifying your daemon (or shuffling it aside).

Every other LaunchDaemon stored in the local domain by other vendors that I have encountered uses root:wheel and 644.

On the launchd-dev mailing list, I’ve seen responses that the plist should be fine as long as it is owned by root and only writable by root. However, I believe it would still be a good practice to change the plist to root:wheel ownership and 644 permissions in the IDF Mac Edition installer build script.
Back to Top
Product Management View Drop Down
Admin Group
Admin Group


Joined: 24 Nov 2010
Status: Offline
Points: 232
Post Options Post Options   Thanks (0) Thanks(0)   Quote Product Management Quote  Post ReplyReply Direct Link To This Post Posted: 01 Mar 2011 at 2:47pm
Thank you for the suggestion.  The launchedaemon will be set to root:wheel and 644.
Back to Top
RITJeremy View Drop Down
Groupie
Groupie


Joined: 21 Dec 2010
Location: Rochester, NY
Status: Offline
Points: 34
Post Options Post Options   Thanks (0) Thanks(0)   Quote RITJeremy Quote  Post ReplyReply Direct Link To This Post Posted: 01 Mar 2011 at 2:51pm
Thanks, we look forward to this change!
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down