Login/Register
need a way to securely communicate between Priviliged Helper Tool (installed using SMJobBless) and the application
Asked Answered
objective-cmacossecuritycode-signingmach
P

2

1

I am trying to install a privileged helper tool to perform some elevated work. I am using SMJobBless for the same. I am able to install the tool fine and also able to communicate with it. I am using Mac OS X 10.8.4 and using NSXPCConnection for the same. I have added .mach service in the plist which will be installed in /Library/LaunchDaemons. I am using [initWithMachServiceName:options:] in the app as the helper is privileged tool and [– initWithMachServiceName:] in the helper to listen. The communication is working fine.

But the problem is I tried the same communication with another application I created which did not have any codesign at all (the helper tool installer earlier was codesigned). I tried to connect to the mach service of the helper tool and was able to connect easily. This is a problem because anybody can communicate with it then and make it do anything.

I wanted some way to securely communicate between my application and the helper tool.

Thanks a lot.

Potman answered 28/6, 2013 at 13:51 Comment(2)
According to Apple docs, only the owning program should be able to call its helper, as they're both signed, so I'd guess that you may have missed something out in setting up the SMJobBless helper app. Also, if you're signing your second app with the same certificate as the first, that may be why the helper app can be launched from both.Bildungsroman
Thanks Merlin069, can you please give the link to that apple doc - I have read that only owner can add or remove the tool but not about any calling restriction. Also, I am not signing the second app at all (I also tried by signing it with other authority) but it still works.Potman
B
1

As you've said that you're not signing the second app, I believe that that is the problem that is allowing a 2nd app from calling the helper application. From the Apple docs and specifically the ReadMe file in SMJobBless, it states: -

The Service Management framework uses code signatures to ensure that the helper tool is the one expected to be run by the main application

This document should be able to assist you in getting the helper app correctly associated with its owner.

Note that it references a python script, which is provided here.

Bildungsroman answered 1/7, 2013 at 12:9 Comment(8)
I am able to correctly associate the owner with the helper app - It is working quite well. The problem is I don't want anybody else (some malicious app) to be able to connect to my helper tool. So, I tried making 2nd app, trying to pose as an attacker, which I did not sign at all and was able to easily connect with the helper tool - This is the real problem as now anybody can connect to the helper tool...Potman
Have you signed both the original app and its helper?Bildungsroman
Yes, I signed both with the same IDPotman
Well, if the app and its helper are signed correctly, then the second, non-signed app should not be able to call the helper. Did you use the python utility to check everything is as expected?Bildungsroman
Yes, I used the python utility - no error, everything was expected. Then, I tried in on the second app and it did give the error that the entries didn't match. But still the second app was able to communicate with the tool.Potman
Have you tried it on a different machine, without development tools?Bildungsroman
good idea! just tried on a fresh vm - the second app was able to communicate on that also. Note that I first install the tool using my first app (good one) and then try and communicate with the second one (evil one)...Potman
let us continue this discussion in chatPotman
P
0

Answering my own question: I had logged a radar bug for the same and Apple said that the behavior was intended:

"It is up to the privileged helper to not expose insecure operations"

Potman answered 10/10, 2013 at 12:29 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.