Launchd should not load launchagents as root. #5846

The Launchd resource will load launchagents as root when the mac is sitting on the login window. This is never a desired outcome and is hard to recover from. This change now will now check to see if a user is logged in before loading launchagents. Signed-off-by: Mike Dodge <mikedodge04@gmail.com>
author: Mike Dodge <mikedodge04@gmail.com> 2017-08-25 18:19:23 -0700
committer: Mike Dodge <mikedodge04@gmail.com> 2017-08-25 18:19:52 -0700
commit: efac241ff964cf3d98e956f02d32ca3a3426444e (patch)
tree: afd9417090500d2f51875fb0816c41ab070fbe95
parent: f1df2bd9bccfc0bbe82777fff42b9788fdf36706 (diff)
download: chef-efac241ff964cf3d98e956f02d32ca3a3426444e.tar.gz
2 files changed, 28 insertions, 3 deletions
diff --git a/lib/chef/provider/launchd.rb b/lib/chef/provider/launchd.rb
index a58954c707..8281410d42 100644
--- a/lib/chef/provider/launchd.rb
+++ b/lib/chef/provider/launchd.rb
@@ -85,7 +85,12 @@ class Chef
         manage_service(:disable)
       end
 
+      def action_restart
+        manage_service(:restart)
+      end
+
       def manage_plist(action)
+        return unless manage_agent?(action)
         if source
           res = cookbook_file_resource
         else
@@ -97,11 +102,30 @@ class Chef
       end
 
       def manage_service(action)
+        return unless manage_agent?(action)
         res = service_resource
         res.run_action(action)
         new_resource.updated_by_last_action(true) if res.updated?
       end
 
+      def manage_agent?(action)
+        # Gets UID of console_user and converts to string.
+        console_user = Etc.getpwuid(::File.stat("/dev/console").uid).name
+        root = console_user == "root"
+        agent = type == "agent"
+        invalid_action = [:delete, :disable, :enable, :restart].include?(action)
+        lltstype = ""
+        if new_resource.limit_load_to_session_type
+          lltstype = new_resource.limit_load_to_session_type
+        end
+        invalid_type = lltstype != "LoginWindow"
+        if root && agent && invalid_action && invalid_type
+          Chef::Log.debug("#{label}: Aqua LaunchAgents shouldn't be loaded as root")
+          return false
+        end
+        true
+      end
+
       def service_resource
         res = Chef::Resource::MacosxService.new(label, run_context)
         res.name(label) if label
diff --git a/lib/chef/provider/service/macosx.rb b/lib/chef/provider/service/macosx.rb
index 4056b72649..9dc7b81a29 100644
--- a/lib/chef/provider/service/macosx.rb
+++ b/lib/chef/provider/service/macosx.rb
@@ -52,17 +52,18 @@ class Chef
           @plist_size = 0
           @plist = @new_resource.plist ? @new_resource.plist : find_service_plist
           @service_label = find_service_label
-          # LauchAgents should be loaded as the console user.
+          # LaunchAgents should be loaded as the console user.
           @console_user = @plist ? @plist.include?("LaunchAgents") : false
           @session_type = @new_resource.session_type
 
           if @console_user
-            @console_user = Etc.getlogin
+            @console_user = Etc.getpwuid(::File.stat("/dev/console").uid).name
             Chef::Log.debug("#{new_resource} console_user: '#{@console_user}'")
             cmd = "su "
             param = this_version_or_newer?("10.10") ? "" : "-l "
+            param = "-l " if this_version_or_newer?("10.12")
             @base_user_cmd = cmd + param + "#{@console_user} -c"
-            # Default LauchAgent session should be Aqua
+            # Default LaunchAgent session should be Aqua
             @session_type = "Aqua" if @session_type.nil?
           end
author	Mike Dodge <mikedodge04@gmail.com>	2017-08-25 18:19:23 -0700
committer	Mike Dodge <mikedodge04@gmail.com>	2017-08-25 18:19:52 -0700
commit	efac241ff964cf3d98e956f02d32ca3a3426444e (patch)
tree	afd9417090500d2f51875fb0816c41ab070fbe95
parent	f1df2bd9bccfc0bbe82777fff42b9788fdf36706 (diff)
download	chef-efac241ff964cf3d98e956f02d32ca3a3426444e.tar.gz