Post

Replies

Boosts

Views

Activity

How to install root trusted certificate via SSH ?
How to install root trusted certificate via SSH ? I already read that SecTrustSettingsSetTrustSettings requires user interaction. That mean that it requires user login and password be entered. But is it possible to move that authetification to command line, outside UI session? I made a sample tool that try to do this. https://github.com/DanilKorotenko/certificateTool Accordingly to the documentation: https://developer.apple.com/library/archive/documentation/Security/Conceptual/authorization_concepts/02authconcepts/authconcepts.html#//apple_ref/doc/uid/TP30000995-CH205-CJBJBGAA If the timeout attribute is missing, the credential can be used to grant the right as long as the login session lasts, unless the credential is explicitly destroyed. When I call function AuthorizationCopyRights, I create a shared credential (login+password). Authorization rule com.apple.trust-settings.admin does not have timeout attribute. security authorizationdb read com.apple.trust-settings.admin <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>class</key> <string>rule</string> <key>comment</key> <string>For modifying Trust Settings in the Admin domain. Requires entitlement or admin authentication.</string> <key>created</key> <real>745942864.47938299</real> <key>k-of-n</key> <integer>1</integer> <key>modified</key> <real>745942864.47938299</real> <key>rule</key> <array> <string>entitled</string> <string>authenticate-admin</string> </array> <key>version</key> <integer>1</integer> </dict> </plist> But. If read authd log, when running this tool, in logs we can read this: default 18:28:43.117724+0300 authd Validating shared credential trustadmin (707) for authenticate-admin (engine 396) default 18:28:43.117733+0300 authd credential 707 expired '0.136439 > 0' (does NOT satisfy rule) (engine 396) It says that our credential is expired. But it should not be expired because the rule does not have timeout. In summary, accordingly to documentation, SecTrustSettingsSetTrustSettings should not require authentification, when calling process is running as root. Because, com.apple.trust-settings.admin right rule does not have timeout, and since that root authetification on process call will create shared credential which SecTrustSettingsSetTrustSettings will use. But in reality the behavior is different. I found, that on some other macs, that tool works as expected. It adds trust certificate silently. May be there is some special condition for exactly this roght? May be there is some special preferences, flags or environment variables? Steps To Reproduce Change this constants in code before build. const char *userLogin = "your-adminuser"; const char *userPass = "your-password"; const char *certificateName = "your-certificateFileName"; You may use testCertificate, or create our own. Build project. Connect to localhost by ssh ssh <youruser>@localhost Go to build folder. sudo ./certificateTool Actual result: The tool returns: SecTrustSettingsSetTrustSettings failure. Error: -60007 That means that user interaction is required. Expected result: User interaction does not required.
1
1
430
Aug ’24
Block iOS device from being mounted on mac.
Hello. Is there a legal way to block iOS devices from being mounted on macOS? I noticed, that when an iOS device is connected, it pretends to be like a storage device but it is not. It not even going through diskArbitration. It seems that some fileProvider is taking place there. I know that it is possible to do via the MDM profile: <key>PayloadContent</key> <dict> <key>.GlobalPreferences</key> <dict> <key>Forced</key> <array> <dict> <key>mcx_preference_settings</key> <dict> <key>ignore-devices</key> <true/> </dict> </dict> </array> </dict> </dict> But is there some programmatic solution? If I use EndpointSecurity and block file operations for the usbmuxd process on /var folder, it prevents iOS devices from being mounted. But wouldn't be there any negative side effects from such a solution?
1
0
870
May ’24
Make "Send" button inactive during MEComposeSessionHandler work.
What if "session:canSendMessageWithCompletionHandler:" method has to take a couple of seconds to make a decision? User may be confused when he click "Send" button and nothing is happen at once. Is there a legal way to make "Send" button disabled during MEComposeSessionHandler work? Or may be there another way to show some progress that my mail extension is working? May be it is possible to show modal window?
0
0
485
Apr ’23
NETransparentProxyProvider and AirDrop. Catch everything except AirDrop.
Hello. How does excludedNetworkRules work? Can I setup such rules that allow me to catch everything except specified ports (AirDrop for example)? I found that if my extension start with these rules: [Extension ....]: provider set tunnel configuration to tunnelRemoteAddress = <9-char-str> includedNetworkRules = ( { matchRemoteEndpoint = 0.0.0.0:80 matchRemotePrefix = 0 matchProtocol = <3-char-str> matchDirection = <8-char-str> appliesToLoopback = NO }, { matchRemoteEndpoint = 0.0.0.0:81 matchRemotePrefix = 0 matchProtocol = <3-char-str> matchDirection = <8-char-str> appliesToLoopback = NO }, { matchRemoteEndpoint = 0.0.0.0:8080 matchRemotePrefix = 0 matchProtocol = <3-char-str> matchDirection = <8-char-str> appliesToLoopback = NO }, { matchRemoteEndpoint = 0.0.0.0:443 matchRemotePrefix = 0 matchProtocol = <3-char-str> matchDirection = <8-char-str> appliesToLoopback = NO }, { matchRemoteEndpoint = 0.0.0.0:25 matchRemotePrefix = 0 matchProtocol = <3-char-str> matchDirection = <8-char-str> appliesToLoopback = NO }, { matchRemoteEndpoint = 0.0.0.0:587 matchRemotePrefix = 0 matchProtocol = <3-char-str> matchDirection = <8-char-str> appliesToLoopback = NO }, { matchRemoteEndpoint = 0.0.0.0:465 matchRemotePrefix = 0 matchProtocol = <3-char-str> matchDirection = <8-char-str> appliesToLoopback = NO }, { matchRemotePrefix = 0 matchProtocol = <3-char-str> matchDirection = <8-char-str> appliesToLoopback = NO }, ) excludedNetworkRules = ( { matchRemoteEndpoint = 0.0.0.0:8770 matchRemotePrefix = 0 matchProtocol = <3-char-str> matchDirection = <8-char-str> appliesToLoopback = NO }, { matchRemoteEndpoint = 0.0.0.0:8770 matchRemotePrefix = 0 matchProtocol = <3-char-str> matchDirection = <8-char-str> appliesToLoopback = NO }, ) isFullyTransparent = YES Note that rules contains wildcard rule: { matchRemotePrefix = 0 matchProtocol = <3-char-str> matchDirection = <8-char-str> appliesToLoopback = NO }, Airdrop is not working. I see in logs that connection is delivered to my extension, and it rejects it.: (1899100530): New flow: NEFlow type = stream, app = com.apple.sharingd, name = 69e95d47-5e35-45d9-a0cf-252f226ec444.local, fe80:d::6c5b:6bff:fecc:e0a.0 <-> fe80::fc46:29ff:feaa:24ab.8770, filter_id = , interface = awdl0 (1899100530): Delivering to client [Extension ....]: Calling handleNewFlow with TCP com.apple.sharingd[{length = 20, bytes = 0x890032e8aa2f6d927360921d19502b76ecd24700}] remote: fe80::fc46:29ff:feaa:24ab%awdl0.8770 interface awdl0 [Extension .....]: provider rejected new flow TCP com.apple.sharingd[{length = 20, bytes = 0x890032e8aa2f6d927360921d19502b76ecd24700}] remote: fe80::fc46:29ff:feaa:24ab%awdl0.8770 interface awdl0 (1899100530): Dropping the director (1899100530): Destroying, client tx 0, client rx 0, kernel rx 0, kernel tx 0 If I specify exact ports to catch, Airdrop is working. Could you help me, please?
4
0
1.2k
Jul ’22
std::signal does not work.
Steps to reproduce: In XCode, create a new Command Line Tool Project. Fill the main.cpp file with this code: cpp #include csignal #include iostream   namespace { volatile std::sig_atomic_t gSignalStatus; }   void signal_handler(int signal) { gSignalStatus = signal; }   int main() { // Install a signal handler std::signal(SIGINT, signal_handler);   std::cout "SignalValue: " gSignalStatus '\n'; std::cout "Sending signal " SIGINT '\n'; std::raise(SIGINT); std::cout "SignalValue: " gSignalStatus '\n'; } Actual output: SignalValue: 0 Sending signal 2 SignalValue: 0 Expected output: SignalValue: 0 Sending signal 2 SignalValue: 2
2
0
963
Apr ’21
Endpoint Security and the system functionality
I am playing with endpoint security. I trying to implement block/allow user to read/write files on a USB media drive. I made my ep utility as launchctl daemon. I found that some applications couldn't start until I mute those processes for ep_client. Moreover, some system processes couldn't start until I mute messages from them. And even more, if my utility autoruns on system start, the clock on the top right corner of the screen may be absent. The Terminal app couldn't restore its state, it hangs on start. Actually, I came to that, my EP daemon should listen to very few processes. Those processes that can read/write files on USB media, and do it by user request. Or under user control. When KAUTH was not deprecated, I did it right in the kernel extension: if the vnode path is NOT on a removable drive, return DEFER at the beginning of callback. My question is: What processes are pure system? What system processes can read/write files for user or under user control? Does, for example, /usr/libexec/nsurlsessiond can download a file for user to the USB media?
2
0
1.2k
Jun ’20