Running an OSX Application with Low Privilege

Question

I have an OSX Application that I am working on. It is not sandboxed (it is an internal application that does things which prevent sandboxing).

At some point my application kicks off an auxiliary application, really just a command line application. I would like to be able to strip this application of being able to do anything except write files into the TMPDIR. I am trying to follow the principle of least privilege.

The current code I am using is:

NSTask* task = [NSTask new];
NSBundle* thisBundle = [NSBundle mainBundle];
[task setArguments:@[a, b, c]];
[task setLaunchPath:[thisBundle pathForAuxiliaryExecutable:@"MyProgram"]];
[task launch];

Is this possible with NSTask? If not, what mechanisms can I use to start MyProgram with very low privileges?

What version of OS X are you targeting? Things have gotten *much* easier in 10.8 for this kind of work. — Rob Napier, Sep 20 '12 at 13:54
@RobNapier I was aiming for 10.7; but I would be very interested in the answer for 10.8. Being an internal app only; targeting the masses is not really a concern. — vcsjones, Sep 20 '12 at 13:56

score 2 · Accepted Answer · answered Sep 20 '12 at 14:20

The best tool for this is called XPC. It was kind of weak in 10.7, but in 10.8 it's incredibly powerful. Its entire purpose is to let you segment your program this way, while making the IPC very easy. Some docs:

"Creating XPC Services" in Daemons and Services Programming Guide
NSXPCConnection
Cocoa Interprocess Communication With XPC (WWDC 2012 session)
Introducing XPC (WWDC 2011 session)
ObjectToXPC - 3rdparty library. I haven't played with it but it promises to do object marshaling in 10.7 (see below why object marshaling can be dangerous, though). You could also just use your own JSON protocol or the like.

One of the great changes for XPC in 10.8 is that they added NSSecureCoding. They modified the compiler to inject class information into protocol definitions so that object marshaling can be done more safely. This means that when you say that a ObjC protocol passes an NSString, they can actually check that the object is an NSString. (Before 10.8, there was no class information in the Protocol object. You could only check whether an argument should be "an object.")

Who cares? Well, say I hijack your low-privilege task and trick it into returning an NSSomethingElse rather than an NSString (maybe I just overwrite the isa pointer to modify its class). And let's say that NSSomethingElse has a length method that does something useful to me as the attacker. Now, when your high-privilege task calls [returnedValue length], it's going to run the wrong method. Alternately, maybe NSSomethingElse has no length method, so I can force the high-privelege task to throw a "does not implement selector" exception, which could be useful to me as well. With NSSecureCoding, this kind of attack is much harder. It can introspect the returned object, note that it isn't an NSString, and refuse to return it to the calling code.

Even without the niceties of NSXPCConnection, I recommend XPC for this kind of work if you're targeting 10.7+.

Running an OSX Application with Low Privilege

1 Answers1