Run suid program (without privilege) in sandbox?

Is there a feature available to sandbox profiles that would allow a suid program (in this particular case, /bin/ps) to be exec-ed without privilege (with the uid of exec-ing process instead of uid of file owner.)

Currently, trying to launch gives error:

sandbox-exec: execvp() of '/bin/ps' failed: Operation not permitted

With logged message:

deny(1) forbidden-exec-sugid

If I make a copy of /bin/ps, thus removing the suid-bit, it does run ok in the sandbox. However, it would be more convent if I could just tell the sandbox environment to allow the exec without elevating privilege.

Yes, I understand sandbox-exec has been DEPRECATED for quite a while, and the profile language is "Apple System Private Interface", but I thought I'd ask anyway. Thanks.

Up vote post of bswift Down vote post of bswift
430 views
Posted by
bswift
Reply
Add a Comment

Replies

What are you trying to do with ps? In most cases it’s better to call the underlying API that it uses rather than puppetstrip the tool, and that’s particularly true when sandboxed. I’m happy to point you at the relevant API, but I need to know more about your end goal.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo

  • Thanks for the quick reply. The problem is that I'm not trying to do anything with ps, but cmake internally is doing a popen("ps axo pid,ppid") in Source/kwsys/ProcessUNIX.c to identify any children of a process it is about to kill, and to kill them first. Since this capability doesn't seem critical to cmake operation, I've worked around the need for ps by replacing it with a copy of usr/bin/false for now.

    bswift
Add a Comment

but cmake internally is doing a popen("ps axo pid,ppid")

Well, that seems like a bit of a portability nightmare (-:

I've worked around the need for ps by replacing it with a copy of /usr/bin/false for now.

OK. If you wanted to fix this properly you could point cmake at a custom tool that returns that info using libproc.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Post not yet marked as solved Up vote reply of eskimo Down vote reply of eskimo
Add a Comment