2/19/2023 0 Comments Proxyman license keyLet’s go back to the authorisation rights that will be entered into the authorisation database, because that will define if a user has to authenticate or not. KAuthorizationFlagExtendRights | kAuthorizationFlagInteractionAllowed,Įrror = [Common enumerateRightsUsingBlock: ^(NSString * authRightName, id authRightDefault, NSString * authRightDesc) + ( void) setupAuthorizationRights:(AuthorizationRef) authRef // See comment in header. The AuthorizationRightSet part is not so important for us, because if the application is already installed the entry will be in the database. Note that it doesn’t need the authRef, as the database is world readable. This function will check if an entry is already in the database or not. So while iterating over them, we will call AuthorizationRightGet - Security | Apple Developer Documentation. I will shortcut here, and won’t show how that works, but I encourage everyone to read the links I provided in the beginning. Normally these are the authorisation rights that an application want to setup in the authorisation database. The enumerateRightsUsingBlock will iterate over specific authorisation entries defined in the application. I think this can be very confusing for first read, and honestly I totally misunderstood it for the first time. This will call the function from Common/Common.m. authorization rights in the authorization database. Called by the app at startup time to set up our ( void) setupAuthorizationRights // Part of XPCServiceProtocol. On the main app, we simply create a new XPC connection: With that let’s see how we establish a connection. I’m not a developer, so if I made an error here understanding the code let me know. The idea behind this part is to show why this sample, which is widely used doesn’t authenticate/authorize the client properly. This will be done through going through some parts of the code. I will cover some parts of that very high level, and mainly why is it not sufficient for a privileged helper tool. Introduction to Authorization Services Programming Guide I highly recommend reading through Apple’s authorisation concepts and their EvenBetterAuthorizationSample code for the following part, here: I will cover some XPC related stuff as we go into the examples. An XPC is an interprocess communication in macOS, and recently it became the standard for any of that. Communication between the main application is happening over XPC, which under the hood uses Mach services. This is good from many perspectives, it will limit the possibilities of a potential privileged escalation compared to the case if the entire application is running as root, and it will also make the application more reliable, as if there is a crash in this tool, the main application can still run, and the helper can be restarted safely. The helper tool will run as a different process, under different privileges and different sandbox rules. The idea behind this is that your application can be run as normal user, and if something privileged has to be done, it can turn to this tool. Essentially this is part of a factored application, that is designed to perform certain privileged actions (typically would require root access) on behalf of the application. What are PrivilegedHelperTools?įor those who are not familiar with the concept here is a very short overview. The next parts will come only later, because the fix for the examples I want to show will come only later this year. Ideally only the real client application should be able to talk to the helper tool, and all other connections should be refused. Depending on the application this might be limited to certain privileged actions (setting system configurations, mounting, etc…), and in some cases it’s more broad, and thus a full privilege escalation can be performed. I recently took a look on a couple of these tools, and found that it’s very easy to make the code insecure, as there are many small pieces to it, and if one is done wrong, the helper tool will be open to abuse by anyone having a foothold on the system. This is the first part of a blog post series I plan about PrivilegedHelperTools that exists on macOS systems.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |