Remote Debugging for Authorization Plugins

It would seem that SecurityAgent has some anti-debug protection in it now as I can't connect to the running instance with lldb.

Correct. In addition to the protection provided by SIP, it also calls PT_DENY_ATTACH (see the ptrace man page for more on that).

Any ideas?

Some thoughts:

• As a (primarily) network developer, I think it’s unfair to characterise logging as “caveman debugging”. There are a bunch of problems that can only be solved that way, especially problems that are only reproducible in the field. When plugging in to odd parts of the system I recommend that you spend some time making sure your logging is up to scratch for exactly that reason. If that helps with your day-to-day debugging, all the better.

• However, I recognise that there are some times when you want to just step through the code. I think it reasonable that macOS should support this for authorisation plug-ins, and I recommend you file a bug report along those lines.

  Please post your bug number, just for the record.

• When confronted with this problem my usual approach is to build infrastructure such that I can test (and hence debug) the vast majority of my code in a normal runtime environment. This means that I only have to worry about debugging the differences between the real environment and my test environment, a much more limited problem.

• In many cases logging is the right way to debug those differences. In the rare situations where it’s not, I created a nasty hack to get the debugger working. Alas, I can’t share that.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"

Hi Quinn,

No offence intended with the debugging remark! It just feels akward to not be able to use the debugger. If I'm ever able to file a radar (Access to bug reporter is broken case: 100373047075) I'll be sure to post my numbers on the remote debugging back here.

Thanks,

Josh

Hey Quinn,

I filed two related radars:

38755732 (Xcode has no way to Debug Authorization Plug-ins)

38756363 (Xcode Doesn't Support Remote Debugging on macOS)

Thanks!

Josh

Someone pinged me about this during an Ask DTS session yesterday so I thought I’d post a quick update. In recent releases we’ve tweaked the security model of both macOS and authorisation plug-ins considerably. The good news is that this has improved the debugging story.

To debug a plug-in on 10.15 and later:

1. Set up a ‘victim’ machine. In some cases you may need to use real hardware, but in most cases you can get away with using a VM.

2. Disable System Integrity Protection (SIP).

   WARNING Disabling SIP reduces the security of your Mac. Do not disable SIP on a machine you use day-to-day. Rather, only disable SIP on a victim machine.

3. SSH into the victim machine.

4. Run LLDB as root:

    % sudo lldb
   

5. Attach to the process that’s hosting the plugin:

    (lldb) process attach -p 1729
   

It’s best to target the process using its process ID rather than name. It’s not uncommon for there to be multiple instances of the authorization plug-in host process running concurrently.

The process hosting your plug-in varies by plug-in configuration and OS version:

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"