Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

macOS Full Disk Access no longer works as described in installation documentation #2413

Open
huckabeec opened this issue Oct 31, 2023 · 3 comments
Open

macOS Full Disk Access no longer works as described in installation documentation #2413

huckabeec opened this issue Oct 31, 2023 · 3 comments
Labels
bug Something isn't working triaged Jira issue has been created for this

Comments

@huckabeec
Copy link

huckabeec commented Oct 31, 2023
edited

Describe the Bug

For reference: https://www.youtube.com/watch?v=DcrfCGqqjkA

Video link is how Munki solved this issue.

Full Disk Access (FDA) changed somewhere in macOS12 and up so that the FDA is not inherited as in previous versions. So, if we use the current Puppet agent instructions for macOS, we would assign FDA to the Puppet wrapper script. However, that script calls /bin/sh immediately which does not inherit FDA so Puppet in unable to update files. We don't want to grant /bin/sh FDA as that would open a huge security hole.

This also affects the LaunchDaemon which starts up the same wrapper script so it is also unable to perform updates.

As described in the video, a signed binary executable can be used to fix this - the video explains why much better than I can here.

See also https://www.qt.io/blog/the-curious-case-of-the-responsible-process

Asking for Puppet to produce a similar signed binary for the macOS installer.

Expected Behavior

Expected FDA granted to Puppet would allow it to manage the system, however this is no longer the case in macOS12 and newer.

Steps to Reproduce

# ps -ef |grep puppet |grep -v grep             
    0   143     1   0 Mon12PM ??         0:06.12 /opt/puppetlabs/puppet/bin/ruby /opt/puppetlabs/puppet/bin/puppet agent --verbose --no-daemonize --logdest console
# sudo launchctl procinfo 143 | grep responsible
responsible pid = 143
responsible unique pid = 143
responsible path = /bin/sh  <<< That doesn't have FDA

Environment

macOS12 or newer
Puppet 7.24
@huckabeec huckabeec added the bug Something isn't working label Oct 31, 2023
@joshcooper joshcooper added the triaged Jira issue has been created for this label Nov 2, 2023
@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 2, 2023

Migrated issue to PA-5930

@huckabeec
Copy link
Author

While I'm glad somebody is looking at this I was hoping to follow along on the progress; not being able to access the JIRA queue to see progress is sorta frustrating.

@huckabeec
Copy link
Author

For what it is worth, I took the shim code from Munki and edited it to work for puppet - replacing "/opt/puppetlabs/bin/puppet" with the code signed binary, which starts up /opt/puppetlabs/puppet/bin/puppet after becoming the "responsible process". Works so far, although this would be cleaner with a binary signed by Puppet, Inc.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working triaged Jira issue has been created for this
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@joshcooper @huckabeec