Uploading Privileges 1.5.1 source code

Uploading Privileges 1.5.1 source code, which includes fixes for identified vulnerabilities.

source/Privileges.xcodeproj/project.pbxproj

@@ -809,7 +809,7 @@
 				GCC_C_LANGUAGE_STANDARD = gnu11;
 				INFOPLIST_FILE = PrivilegesXPC/Info.plist;
 				MACOSX_DEPLOYMENT_TARGET = 10.12;
-				MARKETING_VERSION = 1.0.0;
+				MARKETING_VERSION = 1.5.1;
 				MTL_ENABLE_DEBUG_INFO = INCLUDE_SOURCE;
 				MTL_FAST_MATH = YES;
 				PRODUCT_BUNDLE_IDENTIFIER = corp.sap.privileges.xpc;
@@ -835,7 +835,7 @@
 				GCC_C_LANGUAGE_STANDARD = gnu11;
 				INFOPLIST_FILE = PrivilegesXPC/Info.plist;
 				MACOSX_DEPLOYMENT_TARGET = 10.12;
-				MARKETING_VERSION = 1.0.0;
+				MARKETING_VERSION = 1.5.1;
 				MTL_FAST_MATH = YES;
 				PRODUCT_BUNDLE_IDENTIFIER = corp.sap.privileges.xpc;
 				PRODUCT_NAME = "$(TARGET_NAME)";
@@ -969,7 +969,7 @@
 					"@executable_path/../Frameworks",
 				);
 				MACOSX_DEPLOYMENT_TARGET = 10.12;
-				MARKETING_VERSION = 1.5.0;
+				MARKETING_VERSION = 1.5.1;
 				PRODUCT_BUNDLE_IDENTIFIER = corp.sap.privileges;
 				PRODUCT_NAME = "$(TARGET_NAME)";
 			};
@@ -997,7 +997,7 @@
 					"@executable_path/../Frameworks",
 				);
 				MACOSX_DEPLOYMENT_TARGET = 10.12;
-				MARKETING_VERSION = 1.5.0;
+				MARKETING_VERSION = 1.5.1;
 				PRODUCT_BUNDLE_IDENTIFIER = corp.sap.privileges;
 				PRODUCT_NAME = "$(TARGET_NAME)";
 			};
@@ -1007,15 +1007,13 @@
 			isa = XCBuildConfiguration;
 			buildSettings = {
 				CODE_SIGN_IDENTITY = "Developer ID Application";
-				CURRENT_PROJECT_VERSION = 1.5.0;
+				CREATE_INFOPLIST_SECTION_IN_BINARY = YES;
+				CURRENT_PROJECT_VERSION = 1;
 				DEVELOPMENT_TEAM = 7R5ZEU67FQ;
 				ENABLE_HARDENED_RUNTIME = YES;
 				INFOPLIST_FILE = "PrivilegesHelper/PrivilegesHelper-Info.plist";
+				MARKETING_VERSION = 1.5.1;
 				OTHER_LDFLAGS = (
-					"-sectcreate",
-					__TEXT,
-					__info_plist,
-					"PrivilegesHelper/PrivilegesHelper-Info.plist",
 					"-sectcreate",
 					__TEXT,
 					__launchd_plist,
@@ -1031,15 +1029,13 @@
 			isa = XCBuildConfiguration;
 			buildSettings = {
 				CODE_SIGN_IDENTITY = "Developer ID Application";
-				CURRENT_PROJECT_VERSION = 1.5.0;
+				CREATE_INFOPLIST_SECTION_IN_BINARY = YES;
+				CURRENT_PROJECT_VERSION = 1;
 				DEVELOPMENT_TEAM = 7R5ZEU67FQ;
 				ENABLE_HARDENED_RUNTIME = YES;
 				INFOPLIST_FILE = "PrivilegesHelper/PrivilegesHelper-Info.plist";
+				MARKETING_VERSION = 1.5.1;
 				OTHER_LDFLAGS = (
-					"-sectcreate",
-					__TEXT,
-					__info_plist,
-					"PrivilegesHelper/PrivilegesHelper-Info.plist",
 					"-sectcreate",
 					__TEXT,
 					__launchd_plist,
@@ -1057,10 +1053,11 @@
 				CODE_SIGN_ENTITLEMENTS = "";
 				CODE_SIGN_IDENTITY = "Developer ID Application";
 				CREATE_INFOPLIST_SECTION_IN_BINARY = YES;
-				CURRENT_PROJECT_VERSION = 1.5.0;
+				CURRENT_PROJECT_VERSION = 1;
 				DEVELOPMENT_TEAM = 7R5ZEU67FQ;
 				ENABLE_HARDENED_RUNTIME = YES;
 				INFOPLIST_FILE = "$(SRCROOT)/PrivilegesCLI/PrivilegesCLI-Info.plist";
+				MARKETING_VERSION = 1.5.1;
 				OTHER_LDFLAGS = "";
 				PRODUCT_BUNDLE_IDENTIFIER = corp.sap.privileges.cli;
 				PRODUCT_NAME = "$(TARGET_NAME)";
@@ -1074,10 +1071,11 @@
 				CODE_SIGN_ENTITLEMENTS = "";
 				CODE_SIGN_IDENTITY = "Developer ID Application";
 				CREATE_INFOPLIST_SECTION_IN_BINARY = YES;
-				CURRENT_PROJECT_VERSION = 1.5.0;
+				CURRENT_PROJECT_VERSION = 1;
 				DEVELOPMENT_TEAM = 7R5ZEU67FQ;
 				ENABLE_HARDENED_RUNTIME = YES;
 				INFOPLIST_FILE = "$(SRCROOT)/PrivilegesCLI/PrivilegesCLI-Info.plist";
+				MARKETING_VERSION = 1.5.1;
 				OTHER_LDFLAGS = "";
 				PRODUCT_BUNDLE_IDENTIFIER = corp.sap.privileges.cli;
 				PRODUCT_NAME = "$(TARGET_NAME)";
@@ -1121,7 +1119,7 @@
 				GCC_WARN_UNUSED_FUNCTION = YES;
 				INFOPLIST_FILE = PrivilegesTile/Info.plist;
 				INSTALL_PATH = "$(LOCAL_LIBRARY_DIR)/Bundles";
-				MARKETING_VERSION = 1.5.0;
+				MARKETING_VERSION = 1.5.1;
 				OTHER_LDFLAGS = (
 					"-framework",
 					AppKit,
@@ -1173,7 +1171,7 @@
 				GCC_WARN_UNUSED_FUNCTION = YES;
 				INFOPLIST_FILE = PrivilegesTile/Info.plist;
 				INSTALL_PATH = "$(LOCAL_LIBRARY_DIR)/Bundles";
-				MARKETING_VERSION = 1.5.0;
+				MARKETING_VERSION = 1.5.1;
 				OTHER_LDFLAGS = (
 					"-framework",
 					AppKit,

source/Privileges/Info.plist

@@ -19,7 +19,7 @@
 	<key>CFBundleSignature</key>
 	<string>????</string>
 	<key>CFBundleVersion</key>
-	<string>1093</string>
+	<string>1118</string>
 	<key>LSApplicationCategoryType</key>
 	<string>public.app-category.utilities</string>
 	<key>LSMinimumSystemVersion</key>

source/PrivilegesCLI/PrivilegesCLI-Info.plist

@@ -8,7 +8,9 @@
 	<string>6.0</string>
 	<key>CFBundleName</key>
 	<string>PrivilegesCLI</string>
+	<key>CFBundleShortVersionString</key>
+	<string>$(MARKETING_VERSION)</string>
 	<key>CFBundleVersion</key>
-	<string>1.5.0</string>
+	<string>$(CURRENT_PROJECT_VERSION)</string>
 </dict>
 </plist>

source/PrivilegesHelper/PrivilegesHelper-Info.plist

@@ -8,11 +8,13 @@
 	<string>6.0</string>
 	<key>CFBundleName</key>
 	<string>PrivilegesHelper</string>
+	<key>CFBundleShortVersionString</key>
+	<string>$(MARKETING_VERSION)</string>
 	<key>CFBundleVersion</key>
-	<string>1.5.0</string>
+	<string>$(CURRENT_PROJECT_VERSION)</string>
 	<key>SMAuthorizedClients</key>
 	<array>
-		<string>anchor apple generic and identifier &quot;corp.sap.privileges.xpc&quot; and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = &quot;7R5ZEU67FQ&quot;)</string>
+		<string>anchor apple generic and identifier "corp.sap.privileges.xpc" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "7R5ZEU67FQ")</string>
 	</array>
 </dict>
 </plist>

source/PrivilegesHelper/PrivilegesHelper.m

@@ -71,12 +71,15 @@ - (BOOL)listener:(NSXPCListener *)listener shouldAcceptNewConnection:(NSXPCConne
 
     BOOL acceptConnection = NO;
 
-    // see how we have been signed and make sure only processes with the same signing authority can connect
+    // see how we have been signed and make sure only processes with the same signing authority can connect.
+    // additionally the calling application must have the same version number as this helper and must be one
+    // of the components using a bundle identifier starting with "corp.sap.privileges"
     NSError *error = nil;
     NSString *signingAuth = [MTAuthCommon getSigningAuthorityWithError:&error];
+    NSString *requiredVersion = [self helperVersion];
 
     if (signingAuth) {
-        NSString *reqString = [NSString stringWithFormat:@"anchor trusted and certificate leaf [subject.CN] = \"%@\"", signingAuth];
+        NSString *reqString = [NSString stringWithFormat:@"anchor trusted and certificate leaf [subject.CN] = \"%@\" and info [CFBundleShortVersionString] >= \"%@\" and info [CFBundleIdentifier] = corp.sap.privileges*", signingAuth, requiredVersion];
         SecTaskRef taskRef = SecTaskCreateWithAuditToken(NULL, ((ExtendedNSXPCConnection*)newConnection).auditToken);
 
         if (taskRef) {
@@ -173,7 +176,12 @@ - (void)connectWithEndpointReply:(void (^)(NSXPCListenerEndpoint *))reply
 
 - (void)helperVersionWithReply:(void(^)(NSString *version))reply
 {
-    reply([[NSBundle mainBundle] objectForInfoDictionaryKey:@"CFBundleVersion"]);
+    reply([self helperVersion]);
+}
+
+- (NSString*)helperVersion
+{
+    return [[NSBundle mainBundle] objectForInfoDictionaryKey:@"CFBundleShortVersionString"];
 }
 
 - (void)changeAdminRightsForUser:(NSString*)userName

source/PrivilegesTile/PrivilegesTile.m

@@ -150,7 +150,8 @@ - (NSMenu*)dockMenu
 
          if (([_userDefaults objectIsForcedForKey:@"EnforcePrivileges"] && ([[_userDefaults stringForKey:@"EnforcePrivileges"] isEqualToString:@"admin"] || [[_userDefaults stringForKey:@"EnforcePrivileges"] isEqualToString:@"user"] || [[_userDefaults stringForKey:@"EnforcePrivileges"] isEqualToString:@"none"])) ||
              (limitToUser && ![[limitToUser lowercaseString] isEqualToString:_currentUser]) ||
-             (!limitToUser && limitToGroup && ![MTIdentity getGroupMembershipForUser:_currentUser groupName:limitToGroup error:nil]) || reasonRequired) {
+             (!limitToUser && limitToGroup && ![MTIdentity getGroupMembershipForUser:_currentUser groupName:limitToGroup error:nil]) ||
+             ([_userDefaults objectIsForcedForKey:@"RequireAuthentication"] && [_userDefaults boolForKey:@"RequireAuthentication"]) || reasonRequired) {
              [privilegesItem setEnabled:NO];
          }
 
@@ -187,27 +188,11 @@ - (void)togglePrivileges
 
      if (!userError) {
 
-         if (![_userDefaults objectIsForcedForKey:@"EnforcePrivileges"] && [_userDefaults boolForKey:@"RequireAuthentication"] && !isAdmin) {
-
-             [MTIdentity authenticateUserWithReason:NSLocalizedStringFromTableInBundle(@"authenticationText", @"Localizable", _pluginBundle, nil)
-                                  completionHandler:^(BOOL success, NSError *error) {
-
-                 if (success) {
-                     dispatch_async(dispatch_get_main_queue(), ^{
-                         [NSTask launchedTaskWithLaunchPath:self->_cliPath arguments:[NSArray arrayWithObject:@"--add"]];
-                         [self startToggleTimer];
-                     });
-                 }
-             }];
-
-         } else {
+         [NSTask launchedTaskWithLaunchPath:_cliPath
+                                  arguments:(isAdmin) ? [NSArray arrayWithObject:@"--remove"] : [NSArray arrayWithObject:@"--add"]
+          ];
 
-             [NSTask launchedTaskWithLaunchPath:_cliPath
-                                      arguments:(isAdmin) ? [NSArray arrayWithObject:@"--remove"] : [NSArray arrayWithObject:@"--add"]
-              ];
-
-             if (!isAdmin && ![_userDefaults objectIsForcedForKey:@"EnforcePrivileges"]) { [self startToggleTimer]; }
-         }
+         if (!isAdmin && !([_userDefaults objectIsForcedForKey:@"EnforcePrivileges"] && ([[_userDefaults stringForKey:@"EnforcePrivileges"] isEqualToString:@"admin"] || [[_userDefaults stringForKey:@"EnforcePrivileges"] isEqualToString:@"user"] || [[_userDefaults stringForKey:@"EnforcePrivileges"] isEqualToString:@"none"]))) { [self startToggleTimer]; }
     }
 }
 

source/PrivilegesXPC/Info.plist

@@ -25,14 +25,14 @@
 	<key>SMPrivilegedExecutables</key>
 	<dict>
 		<key>corp.sap.privileges.helper</key>
-		<string>anchor apple generic and identifier &quot;corp.sap.privileges.helper&quot; and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = &quot;7R5ZEU67FQ&quot;)</string>
+		<string>anchor apple generic and identifier "corp.sap.privileges.helper" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "7R5ZEU67FQ")</string>
 	</dict>
 	<key>XPCService</key>
 	<dict>
-		<key>ServiceType</key>
-		<string>Application</string>
 		<key>JoinExistingSession</key>
 		<true/>
+		<key>ServiceType</key>
+		<string>Application</string>
 	</dict>
 </dict>
 </plist>

source/PrivilegesXPC/PrivilegesXPC.m

@@ -88,12 +88,15 @@ - (BOOL)listener:(NSXPCListener *)listener shouldAcceptNewConnection:(NSXPCConne
 
     BOOL acceptConnection = NO;
 
-    // see how we have been signed and make sure only processes with the same signing authority can connect
+    // see how we have been signed and make sure only processes with the same signing authority can connect.
+    // additionally the calling application must have the same version number as this helper and must be one
+    // of the components using a bundle identifier starting with "corp.sap.privileges"
     NSError *error = nil;
     NSString *signingAuth = [MTAuthCommon getSigningAuthorityWithError:&error];
+    NSString *requiredVersion = [[NSBundle bundleForClass:[self class]] objectForInfoDictionaryKey:@"CFBundleShortVersionString"];
 
     if (signingAuth) {
-        NSString *reqString = [NSString stringWithFormat:@"anchor trusted and certificate leaf [subject.CN] = \"%@\"", signingAuth];
+        NSString *reqString = [NSString stringWithFormat:@"anchor trusted and certificate leaf [subject.CN] = \"%@\" and info [CFBundleShortVersionString] >= \"%@\" and info [CFBundleIdentifier] = corp.sap.privileges*", signingAuth, requiredVersion];
         SecTaskRef taskRef = SecTaskCreateWithAuditToken(NULL, ((ExtendedNSXPCConnection*)newConnection).auditToken);
 
         if (taskRef) {