How to install root trusted certificate via SSH ?
I already read that SecTrustSettingsSetTrustSettings requires user interaction.
That mean that it requires user login and password be entered.
But is it possible to move that authetification to command line, outside UI session?
I made a sample tool that try to do this.
https://github.com/DanilKorotenko/certificateTool
Accordingly to the documentation:
https://developer.apple.com/library/archive/documentation/Security/Conceptual/authorization_concepts/02authconcepts/authconcepts.html#//apple_ref/doc/uid/TP30000995-CH205-CJBJBGAA
If the timeout attribute is missing, the credential can be used to grant the right as long as the login session lasts, unless the credential is explicitly destroyed.
When I call function AuthorizationCopyRights,
I create a shared credential (login+password).
Authorization rule com.apple.trust-settings.admin does not have timeout attribute.
security authorizationdb read com.apple.trust-settings.admin
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>For modifying Trust Settings in the Admin domain. Requires entitlement or admin authentication.</string>
<key>created</key>
<real>745942864.47938299</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>745942864.47938299</real>
<key>rule</key>
<array>
<string>entitled</string>
<string>authenticate-admin</string>
</array>
<key>version</key>
<integer>1</integer>
</dict>
</plist>
But. If read authd log, when running this tool, in logs we can read this:
default 18:28:43.117724+0300 authd Validating shared credential trustadmin (707) for authenticate-admin (engine 396)
default 18:28:43.117733+0300 authd credential 707 expired '0.136439 > 0' (does NOT satisfy rule) (engine 396)
It says that our credential is expired.
But it should not be expired because the rule does not have timeout.
In summary, accordingly to documentation, SecTrustSettingsSetTrustSettings should not require authentification, when calling process is running as root. Because, com.apple.trust-settings.admin right rule does not have timeout, and since that root authetification on process call will create shared credential which SecTrustSettingsSetTrustSettings will use.
But in reality the behavior is different.
I found, that on some other macs, that tool works as expected. It adds trust certificate silently.
May be there is some special condition for exactly this roght? May be there is some special preferences, flags or environment variables?
Steps To Reproduce
Change this constants in code before build.
const char *userLogin = "your-adminuser";
const char *userPass = "your-password";
const char *certificateName = "your-certificateFileName";
You may use testCertificate, or create our own.
Build project.
Connect to localhost by ssh
ssh <youruser>@localhost
Go to build folder.
sudo ./certificateTool
Actual result:
The tool returns:
SecTrustSettingsSetTrustSettings failure. Error: -60007
That means that user interaction is required.
Expected result:
User interaction does not required.
Post
Replies
Boosts
Views
Activity
Hello.
Is there a legal way to block iOS devices from being mounted on macOS?
I noticed, that when an iOS device is connected, it pretends to be like a storage device but it is not. It not even going through diskArbitration. It seems that some fileProvider is taking place there.
I know that it is possible to do via the MDM profile:
<key>PayloadContent</key>
<dict>
<key>.GlobalPreferences</key>
<dict>
<key>Forced</key>
<array>
<dict>
<key>mcx_preference_settings</key>
<dict>
<key>ignore-devices</key> <true/>
</dict>
</dict>
</array>
</dict>
</dict>
But is there some programmatic solution?
If I use EndpointSecurity and block file operations for the usbmuxd process on /var folder, it prevents iOS devices from being mounted. But wouldn't be there any negative side effects from such a solution?
What if "session:canSendMessageWithCompletionHandler:" method has to take a couple of seconds to make a decision?
User may be confused when he click "Send" button and nothing is happen at once.
Is there a legal way to make "Send" button disabled during MEComposeSessionHandler work?
Or may be there another way to show some progress that my mail extension is working? May be it is possible to show modal window?
Hello.
How does excludedNetworkRules work?
Can I setup such rules that allow me to catch everything except specified ports (AirDrop for example)?
I found that if my extension start with these rules:
[Extension ....]: provider set tunnel configuration to
tunnelRemoteAddress = <9-char-str>
includedNetworkRules = (
{
matchRemoteEndpoint = 0.0.0.0:80
matchRemotePrefix = 0
matchProtocol = <3-char-str>
matchDirection = <8-char-str>
appliesToLoopback = NO
},
{
matchRemoteEndpoint = 0.0.0.0:81
matchRemotePrefix = 0
matchProtocol = <3-char-str>
matchDirection = <8-char-str>
appliesToLoopback = NO
},
{
matchRemoteEndpoint = 0.0.0.0:8080
matchRemotePrefix = 0
matchProtocol = <3-char-str>
matchDirection = <8-char-str>
appliesToLoopback = NO
},
{
matchRemoteEndpoint = 0.0.0.0:443
matchRemotePrefix = 0
matchProtocol = <3-char-str>
matchDirection = <8-char-str>
appliesToLoopback = NO
},
{
matchRemoteEndpoint = 0.0.0.0:25
matchRemotePrefix = 0
matchProtocol = <3-char-str>
matchDirection = <8-char-str>
appliesToLoopback = NO
},
{
matchRemoteEndpoint = 0.0.0.0:587
matchRemotePrefix = 0
matchProtocol = <3-char-str>
matchDirection = <8-char-str>
appliesToLoopback = NO
},
{
matchRemoteEndpoint = 0.0.0.0:465
matchRemotePrefix = 0
matchProtocol = <3-char-str>
matchDirection = <8-char-str>
appliesToLoopback = NO
},
{
matchRemotePrefix = 0
matchProtocol = <3-char-str>
matchDirection = <8-char-str>
appliesToLoopback = NO
},
)
excludedNetworkRules = (
{
matchRemoteEndpoint = 0.0.0.0:8770
matchRemotePrefix = 0
matchProtocol = <3-char-str>
matchDirection = <8-char-str>
appliesToLoopback = NO
},
{
matchRemoteEndpoint = 0.0.0.0:8770
matchRemotePrefix = 0
matchProtocol = <3-char-str>
matchDirection = <8-char-str>
appliesToLoopback = NO
},
)
isFullyTransparent = YES
Note that rules contains wildcard rule:
{
matchRemotePrefix = 0
matchProtocol = <3-char-str>
matchDirection = <8-char-str>
appliesToLoopback = NO
},
Airdrop is not working.
I see in logs that connection is delivered to my extension, and it rejects it.:
(1899100530): New flow: NEFlow type = stream, app = com.apple.sharingd, name = 69e95d47-5e35-45d9-a0cf-252f226ec444.local, fe80:d::6c5b:6bff:fecc:e0a.0 <-> fe80::fc46:29ff:feaa:24ab.8770, filter_id = , interface = awdl0
(1899100530): Delivering to client
[Extension ....]: Calling handleNewFlow with TCP com.apple.sharingd[{length = 20, bytes = 0x890032e8aa2f6d927360921d19502b76ecd24700}] remote: fe80::fc46:29ff:feaa:24ab%awdl0.8770 interface awdl0
[Extension .....]: provider rejected new flow TCP com.apple.sharingd[{length = 20, bytes = 0x890032e8aa2f6d927360921d19502b76ecd24700}] remote: fe80::fc46:29ff:feaa:24ab%awdl0.8770 interface awdl0
(1899100530): Dropping the director
(1899100530): Destroying, client tx 0, client rx 0, kernel rx 0, kernel tx 0
If I specify exact ports to catch, Airdrop is working.
Could you help me, please?
Steps to reproduce: In XCode, create a new Command Line Tool Project.
Fill the main.cpp file with this code:
cpp
#include csignal
#include iostream
namespace
{
volatile std::sig_atomic_t gSignalStatus;
}
void signal_handler(int signal)
{
gSignalStatus = signal;
}
int main()
{
// Install a signal handler
std::signal(SIGINT, signal_handler);
std::cout "SignalValue: " gSignalStatus '\n';
std::cout "Sending signal " SIGINT '\n';
std::raise(SIGINT);
std::cout "SignalValue: " gSignalStatus '\n';
}
Actual output:
SignalValue: 0
Sending signal 2
SignalValue: 0
Expected output:
SignalValue: 0
Sending signal 2
SignalValue: 2
Is it possible to drag and drop files from my application, NSTableView instance to "Security & Privacy" Preferences pane?
What type of data should be in pasteboard?
I tried NSPasteboardTypeFileURL, but it not acceptable by the pane.
I am playing with endpoint security. I trying to implement block/allow user to read/write files on a USB media drive. I made my ep utility as launchctl daemon. I found that some applications couldn't start until I mute those processes for ep_client.
Moreover, some system processes couldn't start until I mute messages from them. And even more, if my utility autoruns on system start, the clock on the top right corner of the screen may be absent. The Terminal app couldn't restore its state, it hangs on start.
Actually, I came to that, my EP daemon should listen to very few processes. Those processes that can read/write files on USB media, and do it by user request. Or under user control.
When KAUTH was not deprecated, I did it right in the kernel extension: if the vnode path is NOT on a removable drive, return DEFER at the beginning of callback.
My question is:
What processes are pure system?
What system processes can read/write files for user or under user control?
Does, for example, /usr/libexec/nsurlsessiond can download a file for user to the USB media?
I have requested an Endpoint Security entitlement through this form:https://developer.apple.com/contact/request/system-extension/How can I see that my request is done?How can I check that I am able to use this entitlement?Is it should be listed in my App ID Configuration Capabilities?
I wrote a C++ command-line tool by using XCode.My tool crashes sometimes, with a crash report being generated.How can I include Version of my command-line tool in crash report?Now the Version is always 0.