Thanks, Brandon. You have given me some leads I can get my teeth into … or google. And you dated me pretty accurately re SVR4. I knew quite a bit about UNIX before that, but System V Release 4 was my first "hands-on" experience --- 1989-1998, with H-P, Sun, Prime and ICL. Cheers, Ian W.
On 18/03/2014, at 12:36 PM, Brandon Allbery wrote: > On Mon, Mar 17, 2014 at 8:50 PM, Ian Wadham <[email protected]> wrote: > 1. The check seems to be to prevent a program from starting a > foreign process that could compromise the O/S (e.g. spyware?). > In the long term, should MacPorts be recomending bypassing it > with the -p and -s options? I presume this is what MacPorts is doing. > > I get the impression -s is needed if you want to attach to processes with a > debugger or dtrace; as such it is appropriate for development systems. > > 2. This is off-topic but I hope someone can help. Here is what > "man taskgated" says. > > -p Accepts the old (Tiger) convention that a process with a pri- > mary effective group of procmod or procview is allowed to get > task ports. Without this option, this legacy mode is not sup- > ported. > > -s Allow signed applications marked as "safe" to have free > access to task ports, without having to pass an authorization > check. Note that such callers must be marked both allowed and > safe. > > Although I used to be a UNIX "guru"/sysadmin in a former life, I do > not understand much of the language used here, specifically > "effective group of procmod or procview", "signed applications", > "marked as "safe"" and "marked both allowed and safe". > > "procmod" and "procview" are groups (/etc/groups on Unix, `dscl . list > Groups` on OS X). The primary effective group ID is Apple saying "must be the > egid, not just in the group vector". (If your "former life" was long enough > ago to be pre-SVR4, you might not know about group vectors; they're from BSD. > In short, you have not only a primary group affiliation in your egid but an > additional vector of groups of which you are a member; you can switch the > egid between any of the groups in your group vector without requiring > elevated permissions. Only root can set the group vector, just as only root > can change to an arbitrary gid. Files are created with the primary egid, but > file group access checking checks egid and the group vector.) > > The others are Apple-isms; applications can be signed with an X.509 > certificate. I'll leave the rest to someone who knows more about the specific > details of Apple's code signing. `man codesign` might be somewhat > enlightening, or might not. > > The Console log message I keep getting is: > 17/03/14 12:35:27.355 PM taskgated: no signature for pid=1169 (cannot make > code: host has no guest with the requested attributes) > > Again related to code signing; apparently that's taskgated-ese for "I > couldn't find the kind of code signature I was looking for". _______________________________________________ macports-users mailing list [email protected] https://lists.macosforge.org/mailman/listinfo/macports-users
