Use of /Library/PrivilegedHelperTools/

I was reviewing 3rd party application which puts a setuid executable in /Library/PrivilegedHelperTools


I'd assumed that the entire purpose of this folder was to avoid use of setuid, but the only documentation I can find on this folder is in comments in example code (SMJobBless & EvenBetterAuthorizationSample) and little official documentation.


Is there more formal documentation of what Apple were attempting to achieve with this folder and these changes (Launchd?) ?


The secure programming guide explains that setuid is deprecated for these purposes, but then explains how to use it, at best it can be said to be a little muddled. Documentation on daemon and agents don't explicitly mention this folder.


Although in fairness, I can see no reason at all why the software in question needs elevated privileges at all, but if I'm to query it, it would be nice to have clear, well written documentation from Apple to refer to.

Up vote post of simonfromexeter Down vote post of simonfromexeter
7.0k views
Posted by
simonfromexeter
Reply
Add a Comment

Replies

/Library/PrivilegedHelperTools
actually pre-dates 
SMJobBless
. It was originally defined by the BetterAuthorizationSample sample code, which you can find in the Retired Documents Library. As such, it’s fine to put non-SMJobBless tools there as long as you avoid naming conflicts.

If you download the BAS source code you’ll find a bunch of docs that explain the whole BAS project.

Having said that, setuid root is clearly a bad idea (especially given that 

SMJobBless
was added in 10.6!), as is unwarranted privilege escalation, so you’re well within your rights to query that with the software’s author.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment