2

I'm working on writing a daemon that talks to other daemons in the same project over UNIX sockets. For security purposes, it's critical that these daemons only talk amongst themselves (and can't, for example, be connected to by other processes).

I was planning on limiting this access through standard UNIX file ownership and modes. But I can't find anywhere in the launchd.plist documentation on how to control these!

Looking at existing services, you can specify a SockPathMode key, which takes a decimal mode; great. But how do I specify the actual user and group of the created socket? I notice that some of the sockets managed by launchd on my system are owned by root:daemon, some by root:wheel, and some (e.g., ssh-agent), by stouset:wheel. And yet I can't for the life of me determine how and where these ownerships are specified.

Stephen Touset
  • 153
  • 6

1 Answers1

1

Here is the question that is related to this one: https://stackoverflow.com/questions/7984657/run-daemon-as-another-user-on-mac-os-x If a daemon is run as a dedicated user then all file descriptors and sockets will be owned by that user. Then just add restrictive access permissions to those descriptors.

Community
  • 1
Darko Cerdic
  • 111
  • 4
  • `mDNSResponder` seems to contradict this. The `/var/run/mDNSResponder` socket is owned by `root:daemon`, but in its launchd plist, the `UserName` and `GroupName` keys are `_mdnsresponder`. – Stephen Touset Jun 30 '14 at 09:23
  • launchd can create socket for a daemon, in which case it will be owned by root. That way you can have a non-root owned daemon handle a socket that must be owned by root. But your daemon can open a socket programmatically, without asking launchd. That socket will be owned by user that owns the daemon process. – Darko Cerdic Jun 30 '14 at 09:39
  • This doesn't work with socket activation. Is there any way I can have sockets owned by specific users/groups *and* use launchd socket activation? – Stephen Touset Jun 30 '14 at 16:03
  • I don't think that is possible by using only configuration files. If you leave your daemon running as root you may try programmatically changing ownership of the opened sockets. I have never tried it but it may work. – Darko Cerdic Jun 30 '14 at 16:14
  • My daemon should not continue to run as root, and unfortunately, `launchd.plist(5)` indicates that daemons run by launchd should not themselves try to drop user privileges. It seems I likely can't use socket activation on OSX, then, which is a shame. – Stephen Touset Jun 30 '14 at 16:26