[lldb-dev] Building and signing debugserver

Richard Mitton richard at codersnotes.com
Fri Aug 9 13:00:10 PDT 2013 

Thanks,

For what it's worth, I had 'sudo DevToolsSecurity -enable' enabled from 
the ssh window, but it still would not work.

setuid on the debugserver binary seems to be working well for me, and 
looks like the safest route for now.

Richard Mitton
richard at codersnotes.com

On 08/09/2013 12:51 PM, Greg Clayton wrote:
> On Aug 6, 2013, at 3:45 PM, Richard Mitton <richard at codersnotes.com> wrote:
>
>> Right, I'm just trying to understand how Apple's works without such things.
> Because the debugserver binary is code signed by Apple in Xcode releases.
>> Or actually, does it? I just tried sshing using the stock lldb/debugserver, and that doesn't work either.
> You still do have to authorize debugging. If you are logged into your machine, you will do this via a dialog box, otherwise you can do it via the command line:
>
> sudo DevToolsSecurity -enable
>
> I would avoid editing the “/etc/authorization” if you can avoid it as it will open security holes on your machine.
>
> Greg
>
>> Well I guess that answers that...  :)
>>
>> Richard Mitton
>>
>> richard at codersnotes.com
>> On 08/06/2013 03:29 PM, Benjamin Kemper wrote:
>>> To permanently allow, edit "/etc/authorization" and change the value of the "system.privilege.taskport" key to "allow" (if I remember correctly). Be careful though, as this will allow any program on the system to use task_for_pid. I think you can further play with this to allow only a specific user or group but I haven't tried it yet.
>>>
>>> To allow the use of task_for_pid only for the current SSH session use:
>>> security authorize -l -c system.privilege.taskport
>>>
>>>
>>> On Wed, Aug 7, 2013 at 1:23 AM, Richard Mitton <richard at codersnotes.com> wrote:
>>> Hi all,
>>>
>>> So I'm trying to build debugserver for OS X. I followed all the steps in code_signing.txt and was able to get a debugserver binary.
>>>
>>> When I run lldb using this binary, I get a dialog asking for 'Developer Tools Access' in order to run it. If I enter my password this works fine. (although I'm not sure if it sticks over a reboot)
>>>
>>> -However- if I try and SSH into this machine and run it from there, it fails ("initial process state wasn't stopped"). I believe this is because the permissions dialog only applies to the current session, so the SSH shell doesn't inherit it (and can't open a GUI to ask me).
>>>
>>> So, what is the process needed to permanently grant permissions for the debugserver binary? I can make it work by changing the owner of the file to root/wheel and setting the setuid bit, but I'm not sure if this is the right solution.
>>>
>>> -- 
>>> Richard Mitton
>>> richard at codersnotes.com
>>>
>>> _______________________________________________
>>> lldb-dev mailing list
>>> lldb-dev at cs.uiuc.edu
>>> http://lists.cs.uiuc.edu/mailman/listinfo/lldb-dev
>>>
>>>
>>>
>>> -- 
>>> Benjamin.
>> _______________________________________________
>> lldb-dev mailing list
>> lldb-dev at cs.uiuc.edu
>> http://lists.cs.uiuc.edu/mailman/listinfo/lldb-dev

More information about the lldb-dev mailing list