Sample use case

[jeff-h]

Continuing on from #22 (comment) ...

Sorry for going off-topic, but I just wanted to thank you both for your work on this.

Thanks for the kind words! If you have any feedback or questions, don't hesitate to open discussion or topic issues.

I'm hoping to migrate my XPC code to use SecureXPC and really appreciate the effort going into this. I think a lot of people will benefit from this work over time — it's really needed.

If you don't mind me asking, what is your use case for XPC? Always good to understand the diverse ways it's being used to make sure we're considering that as SecureXPC evolves.

My macOS app needs a helper tool to run a bunch of stuff as root — fairly typical stuff I would imagine. I really like your client/server design metaphor particularly the idea of defining routes. I also started to view things this way but only after having written most of my XPC communication code, so it was too late to really integrate the idea.

One area of significant trepidation for me was security — I read lots about this and it was a steep learning curve. It really felt like Apple should be improving their frameworks around all this, or at the very least providing a good solid demo app. As you would know their sample code in this area is ancient and actually insecure (I believe). And given that the accepted wisdom is to never write your own security implementation, there's another reason a package like this, with many more eyes on it, is invaluable.

SO, I was pretty excited when I found your project — in addition to the good work shared by others I believe this will provide a really solid and secure foundation for developers who need it. Actually I don't think it's hyperbolic to say this is likely to measurably increase the quality/security of mac apps (I don't do much iOS right now so I don't really know if it's useful there).

[jakaplan]

My macOS app needs a helper tool to run a bunch of stuff as root — fairly typical stuff I would imagine.

Makes sense. Thanks for explaining your use case.

So you're using a helper tool installed with SMJobBless? If so you might also find the Blessed framework helpful. (And less likely you may find EmbeddedPropertyList useful as well because it'll let your app inspect your helper tool binary without attempting to communicate with it.)

It really felt like Apple should be improving their frameworks around all this, or at the very least providing a good solid demo app. As you would know their sample code in this area is ancient and actually insecure (I believe).

Sadly you're correct. Apple's sample code has known security vulnerabilities. I find it quite irresponsible of them.

I don't do much iOS right now so I don't really know if it's useful there

XPC is quite limited on iOS (and actually the C API used under the hood by SecureXPC is unavailable on iOS). Apple doesn't allow any 3rd party code to run as root on iOS nor can arbitrary apps communicate with one another. See this Developer Forums discussion for a short explanation.

[jeff-h]

Yeah, the helper is installed with SMJobBless. I have already eyeballed your other repositories with interest :) I do have everything XPC-helper-related all up & running in my app already, but am eager to replace much of it with this code in the future, and at that point will have another careful look at those other two frameworks, and probably implement Blessed as well at that point.

As mentioned, my code is all working, but my overarching sense from building my privileged helper is that whilst it's perfectly solid, the communication channel also sometimes feels brittle and was (and is) hard to debug. Actually, on that topic I am eager to try the "anonymous XPC connection" method mentioned in #22 — would you consider exposing that in some form as a developer-facing feature of SecureXPC?

[jakaplan]

Actually, on that topic I am eager to try the "anonymous XPC connection" method mentioned in #22 — would you consider exposing that in some form as a developer-facing feature of SecureXPC?

What would you want to use an anonymous connection for?

[jeff-h]

If I understand it correctly, I'd be able to debug the privileged helper code without having to attach Xcode to a separate process every time.

So I was wondering if there could be some super-easy way to toggle it on when working on the actual business logic of the privileged helper (which obviously wouldn't be privileged under such conditions).

[jakaplan]

Haven't given it sufficient consideration yet. My initial thoughts are it'd be challenging to expose this functionality without people getting confused by it and accidentally using it instead of what they actually needed.

[jakaplan]

Actually, on that topic I am eager to try the "anonymous XPC connection" method mentioned in #22 — would you consider exposing that in some form as a developer-facing feature of SecureXPC?

@jeff-h v0.3.0 was released a few hours ago and added support for anonymous connections. The documentation for XPCServer and XPCClient provide some additional information on how to make use of them.