hoakley February 15, 2020 Macs, Technology

Why privileged commands may never be allowed

Just over a month ago, I reported a strange and frustrating problem. I wanted to write a logarchive to external storage, but no matter what I tried, macOS wouldn’t allow it from AppleScript, although it was perfectly happy to do so using an identical command in Terminal. I think that I have now realised why.

logarchdemo2

Although almost all log commands work fine as an admin user, the particular command in question, log collect, requires root privileges. That’s a protection not for security or the potential for the outcome to have serious consequences, but primarily because making a portable copy of the log could affect the privacy of the user (despite the log’s already deep privacy protection). It would actually make more sense now to fall back on the privacy controls in macOS rather than requiring root privileges, as there’s no equivalent to sudo to obtain ‘elevated’ privacy settings.

Normally, an app triggering a request for access to removable storage would result in a consent dialog, unless the user had already established their intent to allow that. In this case, when run in Script Editor or from another app, macOS can’t see the calling app in its Attribution Chain, so giving Script Editor or anything else Full Disk Access doesn’t alter anything.

In those circumstances, one way to work around this is to add the command tool itself to the Full Disk Access list. But that doesn’t work here, as each user controls their own Privacy settings in the Security & Privacy pane, and has no access to those for the root user. So whatever your personal privacy settings might be, they seem to be ignored once you sudo a command to run it as root.

The exception to this appears to be in Terminal, which can sudo successfully and those commands run with root privileges appear to inherit Terminal’s privacy setttings. This may be cast into TCC’s privacy database, perhaps. But the same doesn’t apply to Script Editor: when it (or any app other than Terminal) tries to run a script with elevated privileges, access is determined not by the calling user’s privacy settings but by those set for the root user.

There’s no command line or script access to the settings in the Privacy tab of the Security & Privacy pane, other than to remove items from the access lists. So a command tool which is running as root can’t add itself to any of those lists, neither can the user, even with the benefit of root privileges. This makes it impossible for anyone outside Apple to investigate this further, or to consider any workaround short of creating a whole privileged helper app, which isn’t a viable alternative for an AppleScript user.

The irony is that root privileges are often required by commands in order to protect the privacy of users.

16Comments

Add yours

1

Joss on February 15, 2020 at 10:35 am

Two questions about possible workarounds, just off the top of my head.

Would it help to create the “hidden” macOS root user account, log into it, and add the command tool to the root user’s FDA? Maybe then it will work.

Would a command or shell script running as a global daemon work? (Those belong to root proper.) Then you could launchctl load/start the root daemon with sudo or administrator privileges in AppleScript. You could (in principle) even do that without elevated privileges by having the daemon watch a directory, and when creating a file in that directory (as non-root user), the daemon would start & read/parse the file & execute the log operations accordingly.

LikeLiked by 1 person
- 2
  
  hoakley on February 15, 2020 at 10:52 am
  
  Thank you – yes, those are excellent suggestions.
  The first may not work, as I don’t know how the root user behaves. It doesn’t solve my problem, because I call the command via an AppleScript in my apps Consolation and Ulbow. Telling every user to do this to enable saving to removable storage wouldn’t go down well!
  The second moves into privileged helper territory. That’s probably where I’ll have to go with those apps, which is a pain, but well-trodden ground. For someone writing their own scripts, I think it’s a non-starter in practice, I’m afraid, unless someone is prepared to develop a general-purpose tool for them.
  Howard.
  
  LikeLike
  - 3
    
    Joss on February 15, 2020 at 11:12 am
    
    Oh yes, if this is for distribution, you can’t make users perform that kind of stuff, like software developers asking their customers to disable SIP (case in point: cDock). That’s a no-go.
    
    Me personally, I always apply the global daemon approach locally. This *could* also work for distribution: just create the daemon + shell script + `launchctl load` from AppleScript with administrator privileges at first run, then afterwards during consecutive runs just execute `do shell script ‘launchctl start rev.domain.daemon’ with prompt “lorem ipsum” with administrator privileges` … or (if the daemon is polling for dir changes) just `do shell script ‘echo ‘ & theData & ‘> /foo/bar`. Still a bit clunky, though.
    
    But I agree with your final comment: I had always wished for some ObjC/Swift wizard to develop a “general purpose privileged helper” that will execute all commands you throw at it. Don’t know if that’s even possible, and if yes, how you would go about doing it. (And applying it in a real-world scenario.)
    
    LikeLiked by 1 person
4

Pico on February 15, 2020 at 6:09 pm

Here’s another workable (but not great) solution with AppleScript: tell application “Terminal” to do script “sudo ls”

Would just need to prompt the user to allow Terminal access and inform them of what command will be run and let them know they’ll need to type their password into Terminal.

Ugly and clunky, but functional and easy.

LikeLiked by 1 person
- 5
  
  hoakley on February 15, 2020 at 8:43 pm
  
  Thanks, Pico. That wouldn’t work with my apps, but could help someone with their own AppleScripts.
  Howard.
  
  LikeLike
6

Pico on February 16, 2020 at 10:03 pm

For some reason this issue has stuck with me, and I wanted to understand it better. In my experience, TCC privileges are properly associated with the parent processes when running commands that require “sudo” with “do shell script” within AppleScript applets, so it didn’t feel right that this issue would have to do with the correct user or process not having full disk access.

So, I tried running a series of commands to try to work around this and found an interesting clue…

My idea was to simply create the .logarchive locally and then copy it to an external drive using “do shell script” commands to rule out issues with the “log archive” command itself. I even ran “chown” on my .logarchive file so permissions weren’t an issue during the move or copy process. To my surprise, I continued to get failures when using the “mv” and “cp” commands to move the .logarchive to an external drive. The error that stood out was “cp: /Users/pico/Desktop/system_logs.logarchive: unable to copy extended attributes to /Volumes/EXTERNAL_DRIVE/system_logs.logarchive: Operation not permitted”. Using Xattred I could see that that the .logarchive file has that dang “com.apple.macl” attribute.

So, I think this may have something to do with macOS knowing that a “do shell script” command may not have been intentionally initiated by a human, so the “com.apple.macl” attribute/SIP (or whatever privacy mechanism is it) is blocking the action. Using “mv” or “cp” directly in Terminal does work though, because (I think) macOS is making the assumption that this action was intentionally initiated by a human.

There’s stuff going on here that I don’t have a solid grasp on, but this clue makes me think that the error is occurring on some different layer of privacy protection than simply an issue with full disk access or a process not being able to request access to external volumes. It feels like this is macOS intentionally blocking a known automation technique that could be used to access sensitive information without explicit user consent.

Armed with this new understanding, I tried moving the locally created .logarchive file to the external drive using AppleScript “tell application Finder to move” commands instead of “do shell script” commands… and it worked! I believe this makes sense with this rational because the user is able to explicitly allow the app to control Finder. On the other hand, it doesn’t make much sense that the “mv” or “cp” commands didn’t just bring up the “allow access files on a removable volume” prompt and then continue normally. Maybe the issue is that “com.apple.macl” is getting checked first and stopping the process before getting to the point to even offer the user to allow the action.

LikeLiked by 1 person
- 7
  
  Pico on February 16, 2020 at 10:30 pm
  
  I MADE A CRUCIAL MISTAKE IN MY TESTING AND ENDED UP OVERTHINKING THINGS…
  
  I think you are right about the administrator privileges conflicting with the access specific folder prompts.
  
  When I was trying stuff. I continued to try to do the “mv” command with administrator privileges even after changing ownership on the file.
  
  If I remove administrator privileges it can all work properly do shell script commands:
  
  do shell script “log collect –output ~/Desktop” with administrator privileges
  do shell script “chown -R pico ~/Desktop/system_logs.logarchive” with administrator privileges
  do shell script “mv ~/Desktop/system_logs.logarchive ‘/Volumes/EXTERNAL_DRIVE'”
  
  LikeLiked by 1 person
  - 8
    
    Pico on February 16, 2020 at 10:43 pm
    
    This can be done generically and more concisely with:
    
    do shell script “log collect –output $TMPDIR; chown -R $USER \”$TMPDIR\”system_logs.logarchive” with administrator privileges
    do shell script “mv \”$TMPDIR\”system_logs.logarchive ‘/Volumes/EXTERNAL_DRIVE'”
    
    The user is first prompted to give their admin password and after log collect is done, they are prompted allow external drive access.
    
    LikeLiked by 1 person
    - 9
      
      Pico on February 16, 2020 at 10:58 pm
      
      Clearly, I’m in over my head on some of this new permissions stuff, but this kind messing around helps understand it better for sure. Even if I do sometimes make a dumb mistake and go down the wrong path!
      
      Your initial findings can be shown by running:
      
      display dialog (do shell script “ls ~/Desktop”)
      display dialog (do shell script “ls ~/Desktop” with administrator privileges)
      
      During the first command, access to desktop is requested and then the contents are displayed.
      
      During the second command, admin access is requested and then an “Operation not permitted” error occurs.
      
      It does seem like this aught to be an issue with the root-level command not having the correct access because we know the app itself already has access to the Desktop.
      
      LikeLiked by 1 person
    - 10
      
      hoakley on February 16, 2020 at 11:47 pm
      
      Thank you, Pico, for your effort looking at this. I did look at the idea of saving the logarchive on the boot Data volume and then copying it across to the final destination, but as logarchives can easily get very large and this could all get messy, I realised that it wasn’t a good workaround after all.
      I don’t think the MACL xattr has any role in this, but is a sign of the folder protections coming into play. So far, all that I have seen of that xattr is that it enables and doesn’t forbid. The other thing is that if you use the command to write a logarchive straight to the removable volume, the xattr only exists once the enclosing folder has been created, so there’s no copying or moving involved. This is a straight kernel sandbox block based on the calling command tool not having access to removable volumes, and I’m fairly sure that arises because of the indirection in calling it: there doesn’t appear to be any Attribution Chain that TCC can follow to establish whether a parent process does have the entitlement to access removable volumes.
      As I wrote here, this is crazy for the log, as it already has privacy protection built into it, which censors so many messages and makes a great many devoid of any useful content. So ‘protecting’ the log in this way is completely misguided. But it does affect other AppleScript users, I gather, using other commands which need elevated privileges.
      Howard.
      
      LikeLike
    - 11
      
      Pico on February 17, 2020 at 12:55 am
      
      Continuing to want to understand how these things are run, I’ve found that calling sudo directly with a “do shell script” command works properly when passing the password to it with “echo ‘MY-ADMIN-PASSWORD’ | sudo -S MYCOMMAND”. With this style of command, “log collect” can write directly to an external drive and external drive access is requested normally. Of course, this information isn’t useful in consumer software, and not usable at all when running from a non-sudoer account.
      
      This make sense when watching Activity Monitor with “View > All Processes, Hierarchically”. We can see the process is being run by “kernel_task > launchd > MyApp (as my user) > bash (as my user) > sudo (as root) > log (as root)”. This shows that the log process can be traced back to MyApp under my user. To use your phrasing, in this case there is an Attribution Chain that TCC can follow to establish whether a parent process has the entitlement to access removable volumes.
      
      And watching Activity Monitor when using “do shell script with administrator privileges” shows that the “log” process appears to be run by “kernel_task > launchd > authtrampoline (as root) > log (as root)”. Which shows that basically the path back to MyApp as my user is lost. Using your phrasing again, there is no Attribution Chain that TCC can follow back to MyApp in this case.
      
      This all confirms your findings, just poking around to understand the process better.
      
      Some more interesting points are that this “authtrampoline” process seems to be able to WRITE files to at least my users Documents and Desktop folder without specifically requesting access first, but it fails to READ or WRITE on external drives. Also, I can READ the contents of specific files on Desktop or Documents but I getting the contents of these folders themselves with “ls ~/Desktop” or “ls ~/Documents” fail with “Operation not permitted”. This behavior makes it feel like intentional restrictions set by Apple.
      
      And for reference, authtrampoline is part of Security.framework and lives at “/System/Library/Frameworks/Security.framework/authtrampoline”.
      
      LikeLiked by 1 person
    - 12
      
      Pico on February 17, 2020 at 12:59 am
      
      PS. I think this capability of “authtrampoline” to write files to Desktop and Documents and read contents of files within these folders is why I initially thought that TCC stuff was being honored normally when using “with administrator privileges” in other cases that I have seen. In fact, it now appears that separate and special permissions of “authtrampoline” were being honored, not the permissions that my app had in the first place.
      
      LikeLiked by 1 person
  - 13
    
    Joss on February 17, 2020 at 1:11 am
    
    Though from a security standpoint it’s probably not wise to use `echo “$password” | sudo -S foo` in a script, whether osascript/AppleScript or clean shell script. That’s the good thing about AppleScript’s “with administrator privileges”. You can run elevated commands, and let macOS via AppleScript handle the escalation—more securely, I hope. But that solution is definitely not full root, as with sudo or a privileged helper; I assume it’s handled by Apple’s Security Framework, and that has some limitations. See e.g. also the Platypus documentation, s.v. “Special Options: Run with root privileges”: https://sveinbjorn.org/files/manpages/PlatypusDocumentation.html … seems to be similar.
    
    LikeLiked by 1 person
14

Joss on July 23, 2020 at 10:40 pm

I have now run into the problem when installing updates for a BitBar script: ‘do shell script “cp ~/Downloads/foo /usr/local/bin/foo” with administrator privileges’ does not work: operation not permitted. So now I have to use an admin password input AppleScript window, and then run the commands with ‘echo -n “$pass” | sudo -S’. Works fine, but in the end it’s a catastrophe. AppleScript running “with administrator privileges” was a really fine & secure way to perform these kind of operations. Apple just keeps messing up.

LikeLiked by 1 person
- 15
  
  hoakley on July 23, 2020 at 10:56 pm
  
  Thank you.
  I use that in a few apps, and one appears to have stopped working in Big Sur and returns an error, but the others still seem to return a normal result. Odd.
  Howard.
  
  LikeLike
  - 16
    
    Joss on July 24, 2020 at 9:27 am
    
    In my case, I’m now ditching /usr/local/bin as the location of the LaunchAgent’s executable, and will be using a non-default bin directory somewhere in the user’s home folder instead, possibly in ~/Library/Application Support/myTool/bin. Needs some additional sed/replace action, but at least no admin privileges. It’s crazy: /usr/local/bin is a default UNIX location, and Apple would like it to remain with default permissions & be writable only for admins, and if that’s the case, you would need privilege escalation with AppleScript to copy from somewhere in Downloads—but that’s TCC-controlled now—to /usr/local/bin. Apple apparently doesn’t care about these kind of use cases anymore. In their eyes everyone should make apps with Swift for the MAS, and if not there, then at least notarized, and be “real” developers developers developers. But a lot of functionality out there isn’t based on apps, but on scripts and little helper tools, agents etc., not least in an enterprise/corporate context. I don’t care about macOS userland bugs—in most cases there’s always a quick workaround—, but this I’m actually quite furious about.
    
    LikeLiked by 1 person

·Comments are closed.

Share this:

Related