Run suid program (without privilege) in sandbox?

Question

Created Sep ’21

Replies 2

Boosts 0

Views 1.3k

Participants 2

Is there a feature available to sandbox profiles that would allow a suid program (in this particular case, /bin/ps) to be exec-ed without privilege (with the uid of exec-ing process instead of uid of file owner.)

Currently, trying to launch gives error:

sandbox-exec: execvp() of '/bin/ps' failed: Operation not permitted

With logged message:

deny(1) forbidden-exec-sugid

If I make a copy of /bin/ps, thus removing the suid-bit, it does run ok in the sandbox. However, it would be more convent if I could just tell the sandbox environment to allow the exec without elevating privilege.

Yes, I understand sandbox-exec has been DEPRECATED for quite a while, and the profile language is "Apple System Private Interface", but I thought I'd ask anyway. Thanks.

Boost

Answer 1

DTS Engineer OP

Apple

Sep ’21

What are you trying to do with ps? In most cases it’s better to call the underlying API that it uses rather than puppetstrip the tool, and that’s particularly true when sandboxed. I’m happy to point you at the relevant API, but I need to know more about your end goal.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

DTS Engineer OP

Apple

Sep ’21

but cmake internally is doing a popen("ps axo pid,ppid")

Well, that seems like a bit of a portability nightmare (-:

I've worked around the need for ps by replacing it with a copy of /usr/bin/false for now.

OK. If you wanted to fix this properly you could point cmake at a custom tool that returns that info using libproc.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

1