Uploading Privileges 1.5.4 source code

Uploading Privileges 1.5.4 source code, which includes security updates to address CVE-2023-40307.
SAP · Sep 11, 2023 · 429e873 · 429e873
1 parent 5ab148e
commit 429e873
Show file tree

Hide file tree

Showing 40 changed files with 146 additions and 123 deletions.
diff --git a/source/Constants.h b/source/Constants.h
@@ -1,6 +1,6 @@
 /*
  Constants.h
- Copyright 2022 SAP SE
+ Copyright 2023 SAP SE
  
  Licensed under the Apache License, Version 2.0 (the "License");
  you may not use this file except in compliance with the License.
@@ -15,28 +15,28 @@
  limitations under the License.
  */
 
-#define kMTAdminGroupID                 80
-#define kMTDockTimeoutDefault           20
-#define kMTReasonMinLengthDefault       10
-#define kMTReasonMaxLengthDefault       100
-#define kMTFixedTimeoutValues           @[@0, @5, @10, @20, @60]
+#define kMTAdminGroupID                     80
+#define kMTDockTimeoutDefault               20
+#define kMTReasonMinLengthDefault           10
+#define kMTReasonMaxLengthDefault           100
+#define kMTFixedTimeoutValues               @[@0, @5, @10, @20, @60]
 
-#define kMTDefaultsToggleTimeout        @"DockToggleTimeout"
-#define kMTDefaultsToggleMaxTimeout     @"DockToggleMaxTimeout"
-#define kMTDefaultsEnforcePrivileges    @"EnforcePrivileges"
-#define kMTDefaultsAuthRequired         @"RequireAuthentication"
-#define kMTDefaultsLimitToUser          @"LimitToUser"
-#define kMTDefaultsLimitToGroup         @"LimitToGroup"
-#define kMTDefaultsRequireReason        @"ReasonRequired"
-#define kMTDefaultsReasonMinLength      @"ReasonMinLength"
-#define kMTDefaultsReasonMaxLength      @"ReasonMaxLength"
-#define kMTDefaultsReasonPresets        @"ReasonPresetList"
-#define kMTDefaultsRemoteLogging        @"RemoteLogging"
-#define kMTDefaultsRLServerType         @"ServerType"
-#define kMTDefaultsRLServerAddress      @"ServerAddress"
-#define kMTDefaultsRLServerPort         @"ServerPort"
-#define kMTDefaultsRLEnableTCP          @"EnableTCP"
-#define kMTDefaultsRLSyslogOptions      @"SyslogOptions"
-#define kMTDefaultsRLSyslogFacility     @"LogFacility"
-#define kMTDefaultsRLSyslogSeverity     @"LogSeverity"
-#define kMTDefaultsRLSyslogMaxSize      @"MaximumMessageSize"
+#define kMTDefaultsToggleTimeout            @"DockToggleTimeout"
+#define kMTDefaultsToggleMaxTimeout         @"DockToggleMaxTimeout"
+#define kMTDefaultsEnforcePrivileges        @"EnforcePrivileges"
+#define kMTDefaultsAuthRequired             @"RequireAuthentication"
+#define kMTDefaultsLimitToUser              @"LimitToUser"
+#define kMTDefaultsLimitToGroup             @"LimitToGroup"
+#define kMTDefaultsRequireReason            @"ReasonRequired"
+#define kMTDefaultsReasonMinLength          @"ReasonMinLength"
+#define kMTDefaultsReasonMaxLength          @"ReasonMaxLength"
+#define kMTDefaultsReasonPresets            @"ReasonPresetList"
+#define kMTDefaultsRemoteLogging            @"RemoteLogging"
+#define kMTDefaultsRLServerType             @"ServerType"
+#define kMTDefaultsRLServerAddress          @"ServerAddress"
+#define kMTDefaultsRLServerPort             @"ServerPort"
+#define kMTDefaultsRLEnableTCP              @"EnableTCP"
+#define kMTDefaultsRLSyslogOptions          @"SyslogOptions"
+#define kMTDefaultsRLSyslogFacility         @"LogFacility"
+#define kMTDefaultsRLSyslogSeverity         @"LogSeverity"
+#define kMTDefaultsRLSyslogMaxSize          @"MaximumMessageSize"
diff --git a/source/MTAuthCommon.h b/source/MTAuthCommon.h
@@ -1,6 +1,6 @@
 /*
  MTAuthCommon.h
- Copyright 2016-2022 SAP SE
+ Copyright 2016-2023 SAP SE
  
  Licensed under the Apache License, Version 2.0 (the "License");
  you may not use this file except in compliance with the License.

diff --git a/source/MTAuthCommon.m b/source/MTAuthCommon.m
@@ -1,6 +1,6 @@
 /*
  MTAuthCommon.m
- Copyright 2016-2022 SAP SE
+ Copyright 2016-2023 SAP SE
  
  Licensed under the Apache License, Version 2.0 (the "License");
  you may not use this file except in compliance with the License.

diff --git a/source/MTIdentity.h b/source/MTIdentity.h
@@ -1,6 +1,6 @@
 /*
  MTIdentity.h
- Copyright 2016-2022 SAP SE
+ Copyright 2016-2023 SAP SE
  
  Licensed under the Apache License, Version 2.0 (the "License");
  you may not use this file except in compliance with the License.

diff --git a/source/MTIdentity.m b/source/MTIdentity.m
@@ -1,6 +1,6 @@
 /*
  MTIdentity.m
- Copyright 2016-2022 SAP SE
+ Copyright 2016-2023 SAP SE
  
  Licensed under the Apache License, Version 2.0 (the "License");
  you may not use this file except in compliance with the License.

diff --git a/source/Privileges.xcodeproj/project.pbxproj b/source/Privileges.xcodeproj/project.pbxproj
@@ -524,7 +524,8 @@
 		ADA960591C905F36002AEFEA /* Project object */ = {
 			isa = PBXProject;
 			attributes = {
-				LastUpgradeCheck = 1400;
+				BuildIndependentTargetsInParallel = YES;
+				LastUpgradeCheck = 1500;
 				ORGANIZATIONNAME = "SAP SE";
 				TargetAttributes = {
 					AD703CF22385361700A8D946 = {
@@ -822,8 +823,8 @@
 				ENABLE_HARDENED_RUNTIME = YES;
 				GCC_C_LANGUAGE_STANDARD = gnu11;
 				INFOPLIST_FILE = PrivilegesXPC/Info.plist;
-				MACOSX_DEPLOYMENT_TARGET = 10.12;
-				MARKETING_VERSION = 1.5.3;
+				MACOSX_DEPLOYMENT_TARGET = 10.13;
+				MARKETING_VERSION = 1.5.4;
 				MTL_ENABLE_DEBUG_INFO = INCLUDE_SOURCE;
 				MTL_FAST_MATH = YES;
 				PRODUCT_BUNDLE_IDENTIFIER = corp.sap.privileges.xpc;
@@ -849,8 +850,8 @@
 				ENABLE_HARDENED_RUNTIME = YES;
 				GCC_C_LANGUAGE_STANDARD = gnu11;
 				INFOPLIST_FILE = PrivilegesXPC/Info.plist;
-				MACOSX_DEPLOYMENT_TARGET = 10.12;
-				MARKETING_VERSION = 1.5.3;
+				MACOSX_DEPLOYMENT_TARGET = 10.13;
+				MARKETING_VERSION = 1.5.4;
 				MTL_FAST_MATH = YES;
 				PRODUCT_BUNDLE_IDENTIFIER = corp.sap.privileges.xpc;
 				PRODUCT_NAME = "$(TARGET_NAME)";
@@ -985,13 +986,14 @@
 					"$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks",
 				);
 				INFOPLIST_FILE = Privileges/Info.plist;
+				INFOPLIST_KEY_LSApplicationCategoryType = "public.app-category.utilities";
 				LD_RUNPATH_SEARCH_PATHS = (
 					"$(inherited)",
 					"@loader_path/../Frameworks",
 					"@executable_path/../Frameworks",
 				);
-				MACOSX_DEPLOYMENT_TARGET = 10.12;
-				MARKETING_VERSION = 1.5.3;
+				MACOSX_DEPLOYMENT_TARGET = 10.13;
+				MARKETING_VERSION = 1.5.4;
 				PRODUCT_BUNDLE_IDENTIFIER = corp.sap.privileges;
 				PRODUCT_NAME = "$(TARGET_NAME)";
 			};
@@ -1016,13 +1018,14 @@
 					"$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks",
 				);
 				INFOPLIST_FILE = Privileges/Info.plist;
+				INFOPLIST_KEY_LSApplicationCategoryType = "public.app-category.utilities";
 				LD_RUNPATH_SEARCH_PATHS = (
 					"$(inherited)",
 					"@loader_path/../Frameworks",
 					"@executable_path/../Frameworks",
 				);
-				MACOSX_DEPLOYMENT_TARGET = 10.12;
-				MARKETING_VERSION = 1.5.3;
+				MACOSX_DEPLOYMENT_TARGET = 10.13;
+				MARKETING_VERSION = 1.5.4;
 				PRODUCT_BUNDLE_IDENTIFIER = corp.sap.privileges;
 				PRODUCT_NAME = "$(TARGET_NAME)";
 			};
@@ -1038,7 +1041,8 @@
 				DEVELOPMENT_TEAM = 7R5ZEU67FQ;
 				ENABLE_HARDENED_RUNTIME = YES;
 				INFOPLIST_FILE = "PrivilegesHelper/PrivilegesHelper-Info.plist";
-				MARKETING_VERSION = 1.5.3;
+				MACOSX_DEPLOYMENT_TARGET = 10.13;
+				MARKETING_VERSION = 1.5.4;
 				OTHER_LDFLAGS = (
 					"-sectcreate",
 					__TEXT,
@@ -1061,7 +1065,8 @@
 				DEVELOPMENT_TEAM = 7R5ZEU67FQ;
 				ENABLE_HARDENED_RUNTIME = YES;
 				INFOPLIST_FILE = "PrivilegesHelper/PrivilegesHelper-Info.plist";
-				MARKETING_VERSION = 1.5.3;
+				MACOSX_DEPLOYMENT_TARGET = 10.13;
+				MARKETING_VERSION = 1.5.4;
 				OTHER_LDFLAGS = (
 					"-sectcreate",
 					__TEXT,
@@ -1085,7 +1090,8 @@
 				DEVELOPMENT_TEAM = 7R5ZEU67FQ;
 				ENABLE_HARDENED_RUNTIME = YES;
 				INFOPLIST_FILE = "$(SRCROOT)/PrivilegesCLI/PrivilegesCLI-Info.plist";
-				MARKETING_VERSION = 1.5.3;
+				MACOSX_DEPLOYMENT_TARGET = 10.13;
+				MARKETING_VERSION = 1.5.4;
 				OTHER_LDFLAGS = "";
 				PRODUCT_BUNDLE_IDENTIFIER = corp.sap.privileges.cli;
 				PRODUCT_NAME = "$(TARGET_NAME)";
@@ -1104,7 +1110,8 @@
 				DEVELOPMENT_TEAM = 7R5ZEU67FQ;
 				ENABLE_HARDENED_RUNTIME = YES;
 				INFOPLIST_FILE = "$(SRCROOT)/PrivilegesCLI/PrivilegesCLI-Info.plist";
-				MARKETING_VERSION = 1.5.3;
+				MACOSX_DEPLOYMENT_TARGET = 10.13;
+				MARKETING_VERSION = 1.5.4;
 				OTHER_LDFLAGS = "";
 				PRODUCT_BUNDLE_IDENTIFIER = corp.sap.privileges.cli;
 				PRODUCT_NAME = "$(TARGET_NAME)";
@@ -1149,7 +1156,8 @@
 				GCC_WARN_UNUSED_FUNCTION = YES;
 				INFOPLIST_FILE = PrivilegesTile/Info.plist;
 				INSTALL_PATH = "$(LOCAL_LIBRARY_DIR)/Bundles";
-				MARKETING_VERSION = 1.5.3;
+				MACOSX_DEPLOYMENT_TARGET = 10.13;
+				MARKETING_VERSION = 1.5.4;
 				OTHER_LDFLAGS = (
 					"-framework",
 					AppKit,
@@ -1202,7 +1210,8 @@
 				GCC_WARN_UNUSED_FUNCTION = YES;
 				INFOPLIST_FILE = PrivilegesTile/Info.plist;
 				INSTALL_PATH = "$(LOCAL_LIBRARY_DIR)/Bundles";
-				MARKETING_VERSION = 1.5.3;
+				MACOSX_DEPLOYMENT_TARGET = 10.13;
+				MARKETING_VERSION = 1.5.4;
 				OTHER_LDFLAGS = (
 					"-framework",
 					AppKit,

diff --git a/source/Privileges/AppDelegate.h b/source/Privileges/AppDelegate.h
@@ -1,6 +1,6 @@
 /*
  AppDelegate.h
- Copyright 2016-2022 SAP SE
+ Copyright 2016-2023 SAP SE
  
  Licensed under the Apache License, Version 2.0 (the "License");
  you may not use this file except in compliance with the License.

diff --git a/source/Privileges/AppDelegate.m b/source/Privileges/AppDelegate.m
@@ -1,6 +1,6 @@
 /*
  AppDelegate.m
- Copyright 2016-2022 SAP SE
+ Copyright 2016-2023 SAP SE
  
  Licensed under the Apache License, Version 2.0 (the "License");
  you may not use this file except in compliance with the License.
@@ -190,13 +190,13 @@ - (void)changeAdminGroup:(NSString*)userName remove:(BOOL)remove
     [self connectAndExecuteCommandBlock:^(NSError *connectError) {
 
           if (connectError) {
-              os_log(OS_LOG_DEFAULT, "SAPCorp: ERROR! %{public}@", connectError);
+              os_log_with_type(OS_LOG_DEFAULT, OS_LOG_TYPE_ERROR, "SAPCorp: %{public}@", connectError);
               [self displayErrorNotificationAndExit];
 
           } else {
 
               [[self.helperToolConnection remoteObjectProxyWithErrorHandler:^(NSError *proxyError) {
-                  os_log(OS_LOG_DEFAULT, "SAPCorp: ERROR! %{public}@", proxyError);
+                  os_log_with_type(OS_LOG_DEFAULT, OS_LOG_TYPE_ERROR, "SAPCorp: %{public}@", proxyError);
                   [self displayErrorNotificationAndExit];
 
               }] changeAdminRightsForUser:userName
@@ -206,7 +206,7 @@ - (void)changeAdminGroup:(NSString*)userName remove:(BOOL)remove
                                 withReply:^(NSError *error) {
 
                   if (error) {
-                      os_log(OS_LOG_DEFAULT, "SAPCorp: ERROR! Unable to change privileges: %{public}@", error);
+                      os_log_with_type(OS_LOG_DEFAULT, OS_LOG_TYPE_ERROR, "SAPCorp: Unable to change privileges: %{public}@", error);
                       [self displayErrorNotificationAndExit];
 
                   } else {
@@ -285,12 +285,12 @@ - (void)checkForHelper
 
 - (void)helperCheckFailed:(NSString*)errorMessage
 {
-    os_log(OS_LOG_DEFAULT, "SAPCorp: ERROR! %{public}@", errorMessage);
+    os_log_with_type(OS_LOG_DEFAULT, OS_LOG_TYPE_ERROR, "SAPCorp: %{public}@", errorMessage);
 
     [self connectToXPCService];
     [[self.xpcServiceConnection remoteObjectProxyWithErrorHandler:^(NSError *proxyError) {
 
-        os_log(OS_LOG_DEFAULT, "SAPCorp: ERROR! %{public}@", proxyError);
+        os_log_with_type(OS_LOG_DEFAULT, OS_LOG_TYPE_ERROR, "SAPCorp: %{public}@", proxyError);
 
         [self displayDialog:NSLocalizedString(@"notificationText_Error", nil)
                 messageText:nil
@@ -309,7 +309,7 @@ - (void)helperCheckFailed:(NSString*)errorMessage
 
         } else {
 
-            os_log(OS_LOG_DEFAULT, "SAPCorp: ERROR! Installation of the helper tool failed: %{public}@", installError);
+            os_log_with_type(OS_LOG_DEFAULT, OS_LOG_TYPE_ERROR, "SAPCorp: Installation of the helper tool failed: %{public}@", installError);
 
             [self displayDialog:NSLocalizedString(@"notificationText_Error", nil)
                     messageText:nil
@@ -841,11 +841,11 @@ -(void)applicationWillTerminate:(NSNotification *)aNotification
     [self connectAndExecuteCommandBlock:^(NSError * connectError) {
 
            if (connectError) {
-               os_log(OS_LOG_DEFAULT, "SAPCorp: ERROR! %{public}@", connectError);
+               os_log_with_type(OS_LOG_DEFAULT, OS_LOG_TYPE_ERROR, "SAPCorp: %{public}@", connectError);
            } else {
 
                [[self.helperToolConnection remoteObjectProxyWithErrorHandler:^(NSError *proxyError) {
-                   os_log(OS_LOG_DEFAULT, "SAPCorp: ERROR! %{public}@", proxyError);
+                   os_log_with_type(OS_LOG_DEFAULT, OS_LOG_TYPE_ERROR, "SAPCorp: %{public}@", proxyError);
                }] quitHelperTool];
            }
        }

diff --git a/source/Privileges/Base.lproj/MainMenu.xib b/source/Privileges/Base.lproj/MainMenu.xib
@@ -1,8 +1,8 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<document type="com.apple.InterfaceBuilder3.Cocoa.XIB" version="3.0" toolsVersion="21179.7" targetRuntime="MacOSX.Cocoa" propertyAccessControl="none" useAutolayout="YES" customObjectInstantitationMethod="direct">
+<document type="com.apple.InterfaceBuilder3.Cocoa.XIB" version="3.0" toolsVersion="21507" targetRuntime="MacOSX.Cocoa" propertyAccessControl="none" useAutolayout="YES" customObjectInstantitationMethod="direct">
     <dependencies>
         <deployment identifier="macosx"/>
-        <plugIn identifier="com.apple.InterfaceBuilder.CocoaPlugin" version="21179.7"/>
+        <plugIn identifier="com.apple.InterfaceBuilder.CocoaPlugin" version="21507"/>
         <capability name="documents saved in the Xcode 8 format" minToolsVersion="8.0"/>
     </dependencies>
     <objects>

diff --git a/source/Privileges/Info.plist b/source/Privileges/Info.plist
@@ -19,15 +19,15 @@
 	<key>CFBundleSignature</key>
 	<string>????</string>
 	<key>CFBundleVersion</key>
-	<string>1330</string>
+	<string>1375</string>
 	<key>LSApplicationCategoryType</key>
 	<string>public.app-category.utilities</string>
 	<key>LSMinimumSystemVersion</key>
 	<string>$(MACOSX_DEPLOYMENT_TARGET)</string>
 	<key>NSDockTilePlugIn</key>
 	<string>PrivilegesTile.docktileplugin</string>
 	<key>NSHumanReadableCopyright</key>
-	<string>Copyright © 2016-2022 SAP SE. All rights reserved.</string>
+	<string>Copyright © 2016-2023 SAP SE. All rights reserved.</string>
 	<key>NSMainNibFile</key>
 	<string>MainMenu</string>
 	<key>NSPrincipalClass</key>

diff --git a/source/Privileges/MTNotification.h b/source/Privileges/MTNotification.h
@@ -1,6 +1,6 @@
 /*
  MTNotification.h
- Copyright 2016-2022 SAP SE
+ Copyright 2016-2023 SAP SE
  
  Licensed under the Apache License, Version 2.0 (the "License");
  you may not use this file except in compliance with the License.

diff --git a/source/Privileges/MTNotification.m b/source/Privileges/MTNotification.m
@@ -1,6 +1,6 @@
 /*
  MTNotification.m
- Copyright 2016-2022 SAP SE
+ Copyright 2016-2023 SAP SE
  
  Licensed under the Apache License, Version 2.0 (the "License");
  you may not use this file except in compliance with the License.

diff --git a/source/Privileges/Privileges.mobileconfig b/source/Privileges/Privileges.mobileconfig
@@ -175,6 +175,18 @@ limitations under the License.
 
 								</array>
 
+								<!--
+                                    key: PostChangeExecutablePath
+                                    value: a string containing the absolute path to an executable 
+                                    
+                                    The specified executable is called whenever privileges changed. 
+                                    The name of the user who changed admin rights and the state of 
+                                    the admin rights (0 or 1) are provided as arguments $1 and $2. 
+                                    the executable is launched as the actual user (not as root).
+                                -->
+								<key>PostChangeExecutablePath</key>
+								<string>/Library/Application Support/Privileges/PrivilegesChanged.sh</string>
+
 								<!--
                                     key: RemoteLogging
                                     value: a dictionary containing the server information:

diff --git a/source/Privileges/de.lproj/InfoPlist.strings b/source/Privileges/de.lproj/InfoPlist.strings
@@ -1,6 +1,6 @@
 /*
  InfoPlist.strings
- Copyright 2016-2022 SAP SE
+ Copyright 2016-2023 SAP SE
 
  Licensed under the Apache License, Version 2.0 (the "License");
  you may not use this file except in compliance with the License.
@@ -16,4 +16,4 @@
  */
 
 // the copyright string (for the application's info window in Finder)
-"NSHumanReadableCopyright" = "© 2016-2022 SAP SE. Alle Rechte vorbehalten.";
+"NSHumanReadableCopyright" = "© 2016-2023 SAP SE. Alle Rechte vorbehalten.";
diff --git a/source/Privileges/de.lproj/Localizable.strings b/source/Privileges/de.lproj/Localizable.strings
@@ -1,6 +1,6 @@
 /*
  Localizable.strings
- Copyright 2016-2022 SAP SE
+ Copyright 2016-2023 SAP SE
 
  Licensed under the Apache License, Version 2.0 (the "License");
  you may not use this file except in compliance with the License.
@@ -96,11 +96,11 @@
 // even more characters
 "evenMoreChars" = "%ld Zeichen";
 
-// the value to differenciate between "more" and "even more" characters (if applicable)
+// the value to differentiate between "more" and "even more" characters (if applicable)
 "evenMoreCharsThreshold" = "";
 
 // the default menu entry "Other…" (other reason) for the reason pop-up button
-"otherMenuEntry" = "Anderer…";
+"otherMenuEntry" = "Anderer …";
 
 // the message of the dialog box where the user has to provide a reason for getting admin rights. This version of
 // the text appears if the pop-up menu containing the pre-defined reasons is visible