File ownership in /Library/Caches and /Library/Logs

Question

Created Nov ’20

Replies 8

Boosts 1

Views 3.0k

Participants 2

I have an a macOS launch daemon running via a plist in /Library/LaunchDaemons. This process runs under a specific user id via the UID key, this user belongs to the group 'staff'.

This process creates a directory under /Library/Logs and /Library/Caches, these directories have the expected ownership of my_user:staff.

Any files the process creates in those directories have ownership root:staff. I'm not doing anything special when creating the files and I'm not specifying any specific permissions. Is this expected behaviour? Any if so why? Is it a result of these being system locations that can be purged by the OS?

I don't appear to have any issues writing to these files.

Thanks,

Gary.

Boost

Answer 1

DTS Engineer OP

Apple

Nov ’20

Is this expected behaviour?

It certainly seems weird. What version of macOS are you testing this on?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 2

gary_hughes OP

Nov ’20

10.15.7, I've also just checked 10.14.6 and 11.0.1 and they have the same behaviour.

0

Answer 3

gary_hughes OP

Nov ’20

10.15.7, I've also just checked 10.14.6 and 11.0.1 and they have the same behaviour.

0

Answer 4

DTS Engineer OP

Apple

Nov ’20

On a stock 10.15.7 machine /Library/Logs is only writable by root:

Code Block  % ls -ld /Library/Logs
drwxr-xr-x  5 root  wheel  160 Sep  7 12:28 /Library/Logs

If you’ve configured your launchd daemon to run as a role account (you said using the UID key but I presume you meant the UserName key because there’s no documented UID key), how can it create a directory there?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 5

gary_hughes OP

Nov ’20

UID is documented here https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html#//apple_ref/doc/uid/10000172i-SW7-105327

Specifically: Do not set the user or group ID for your daemon. Include the UserName, UID, GroupName, or GID keys in your daemon’s configuration property list instead.

Initially I used UserName and the installation of the software created a user using dscl however if I used this method and upgraded the OS it looks like it boots into single user mode where the directory service is not available and so the daemon goes into an error state and doesn't recover. Using UID avoids this problem. Creating the user with dscl doesn't create an entry in /etc/passwd so there is no fallback.

The directories under /Library/Logs and /Library/Cache are created by the software installation script that runs as root.

0

Answer 6

gary_hughes OP

Nov ’20

Sorry for being misleading about the directory creation, I'd forgotten they are created elsewhere. The daemon does create a sub directory under those roots though and it has the expected ownership. It's just files that get root ownership.

Gary.

0

Answer 7

DTS Engineer OP

Apple

Nov ’20

I'd forgotten they are created elsewhere.

OK, the reason why I asked about this is that I tried to set up a test for this here in my office and immediate bumped into a permission problem. I’d still like to run this test but it’s moving beyond what I can do in the time I have available to spend here on DevForums. If you’d like to open a DTS tech support incident, I’d be happy to pick this up in that context.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 8

gary_hughes OP

Nov ’20

Thanks Quinn, I think the UID is simply not working and this is the root of the issue. I'm going to start another thread on the UserName single user mode issue and go from there.

0