4

I have sandboxing enabled and use /sbin/ping with NSTask:

[task setLaunchPath:@"/sbin/ping"];
[task setArguments:[NSArray arrayWithObjects:@"-c10", iPAddress, nil]];

Everything works great and I get the expected output.

I also want to use /usr/sbin/traceroute with NSTask:

[task setLaunchPath:@"/usr/sbin/traceroute"];
[task setArguments:[NSArray arrayWithObject:iPAddress]];

But the task terminates with the message: NSTask: Task create for path '/usr/sbin/traceroute' failed: 22, "Invalid argument". Terminating temporary process.* At the same time the sandbox logs: deny forbidden-exec-sugid

Why does it work with ping, but not with traceroute ? And how do I make it work with traceroute ?

Thx!

Daniel
  • 1,473
  • 3
  • 33
  • 63

1 Answers1

4

Q1: ping vs. traceroute - the former is a non-priviledged program, the latter is priviledged and runs as root. Your error indicates running as root is not allowed by the sandbox, unsurprising.

Q2: file a bug report with Apple detailing why you need the traceroute functionality and ask for a sandbox supported way of doing it. Given you're actually using the sandbox you're probably a registered Apple developer, so raise it on the dev forums as well (list your bug number).

CRD
  • 52,522
  • 5
  • 70
  • 86
  • Unfortunately I do not yet have a developer account. Does this mean there is no other way? – Daniel Feb 14 '12 at 01:42
  • 1
    @Daniel - probably not, at least not using traceroute. But rolling your own "traceroute" directly might be fine, with a simple entitlement you can do anything over the network you like when in the sandbox. Which begs the question what is traceroute doing that requires it to run as root? You can get the source of traceroute (google traceoute.c), take a look at it and see if you can run it as a normal user - you can always include it in your app as a helper if so, or combine the code directly into your source base. – CRD Feb 14 '12 at 10:47
  • Good idea. I'll try to include it directly in my source base. Thank you! – Daniel Feb 14 '12 at 12:09
  • Just curious... why you sandbox an app since you're not registered Apple developer and probably you're not indenting to sell your app via App Store? – Vassilis May 10 '12 at 20:25
  • @VassilisGr: When I asked that question I knew that it was still a long time (6 months) until I'd upload the app to the Mac App Store. And since it was my first app on the store... – Daniel Apr 03 '13 at 10:10
  • @onmyway133 - Look at the command ownership and permissions. The sandbox will *probably* prevent you from running setuid commands. – CRD Mar 17 '17 at 17:49