taskgated: no signature

Brandon Allbery allbery.b at gmail.com
Mon Mar 17 18:36:10 PDT 2014


On Mon, Mar 17, 2014 at 8:50 PM, Ian Wadham <iandw.au at gmail.com> wrote:

> 1. The check seems to be to prevent a program from starting a
>     foreign process that could compromise the O/S (e.g. spyware?).
>     In the long term, should MacPorts be recomending bypassing it
>     with the -p and -s options?  I presume this is what MacPorts is doing.
>

I get the impression -s is needed if you want to attach to processes with a
debugger or dtrace; as such it is appropriate for development systems.

2. This is off-topic but I hope someone can help.  Here is what
>      "man taskgated" says.
>
>      -p       Accepts the old (Tiger) convention that a process with a pri-
>               mary effective group of procmod or procview is allowed to get
>               task ports. Without this option, this legacy mode is not sup-
>               ported.
>
>      -s       Allow signed applications marked as "safe" to have free
>               access to task ports, without having to pass an authorization
>               check. Note that such callers must be marked both allowed and
>               safe.
>
>     Although I used to be a UNIX "guru"/sysadmin in a former life, I do
>     not understand much of the language used here, specifically
>     "effective group of procmod or procview", "signed applications",
>     "marked as "safe"" and "marked both allowed and safe".
>

"procmod" and "procview" are groups (/etc/groups on Unix, `dscl . list
Groups` on OS X). The primary effective group ID is Apple saying "must be
the egid, not just in the group vector". (If your "former life" was long
enough ago to be pre-SVR4, you might not know about group vectors; they're
from BSD. In short, you have not only a primary group affiliation in your
egid but an additional vector of groups of which you are a member; you can
switch the egid between any of the groups in your group vector without
requiring elevated permissions. Only root can set the group vector, just as
only root can change to an arbitrary gid. Files are created with the
primary egid, but file group access checking checks egid and the group
vector.)

The others are Apple-isms; applications can be signed with an X.509
certificate. I'll leave the rest to someone who knows more about the
specific details of Apple's code signing. `man codesign` might be somewhat
enlightening, or might not.

The Console log message I keep getting is:
> 17/03/14 12:35:27.355 PM taskgated: no signature for pid=1169 (cannot make
> code: host has no guest with the requested attributes)
>

Again related to code signing; apparently that's taskgated-ese for "I
couldn't find the kind of code signature I was looking for".

-- 
brandon s allbery kf8nh                               sine nomine associates
allbery.b at gmail.com                                  ballbery at sinenomine.net
unix, openafs, kerberos, infrastructure, xmonad        http://sinenomine.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.macosforge.org/pipermail/macports-users/attachments/20140317/3751634b/attachment.html>


More information about the macports-users mailing list