diff --git a/source/Privileges.xcodeproj/project.pbxproj b/source/Privileges.xcodeproj/project.pbxproj
index 7956664..b39a0a4 100644
--- a/source/Privileges.xcodeproj/project.pbxproj
+++ b/source/Privileges.xcodeproj/project.pbxproj
@@ -809,7 +809,7 @@
GCC_C_LANGUAGE_STANDARD = gnu11;
INFOPLIST_FILE = PrivilegesXPC/Info.plist;
MACOSX_DEPLOYMENT_TARGET = 10.12;
- MARKETING_VERSION = 1.0.0;
+ MARKETING_VERSION = 1.5.1;
MTL_ENABLE_DEBUG_INFO = INCLUDE_SOURCE;
MTL_FAST_MATH = YES;
PRODUCT_BUNDLE_IDENTIFIER = corp.sap.privileges.xpc;
@@ -835,7 +835,7 @@
GCC_C_LANGUAGE_STANDARD = gnu11;
INFOPLIST_FILE = PrivilegesXPC/Info.plist;
MACOSX_DEPLOYMENT_TARGET = 10.12;
- MARKETING_VERSION = 1.0.0;
+ MARKETING_VERSION = 1.5.1;
MTL_FAST_MATH = YES;
PRODUCT_BUNDLE_IDENTIFIER = corp.sap.privileges.xpc;
PRODUCT_NAME = "$(TARGET_NAME)";
@@ -969,7 +969,7 @@
"@executable_path/../Frameworks",
);
MACOSX_DEPLOYMENT_TARGET = 10.12;
- MARKETING_VERSION = 1.5.0;
+ MARKETING_VERSION = 1.5.1;
PRODUCT_BUNDLE_IDENTIFIER = corp.sap.privileges;
PRODUCT_NAME = "$(TARGET_NAME)";
};
@@ -997,7 +997,7 @@
"@executable_path/../Frameworks",
);
MACOSX_DEPLOYMENT_TARGET = 10.12;
- MARKETING_VERSION = 1.5.0;
+ MARKETING_VERSION = 1.5.1;
PRODUCT_BUNDLE_IDENTIFIER = corp.sap.privileges;
PRODUCT_NAME = "$(TARGET_NAME)";
};
@@ -1007,15 +1007,13 @@
isa = XCBuildConfiguration;
buildSettings = {
CODE_SIGN_IDENTITY = "Developer ID Application";
- CURRENT_PROJECT_VERSION = 1.5.0;
+ CREATE_INFOPLIST_SECTION_IN_BINARY = YES;
+ CURRENT_PROJECT_VERSION = 1;
DEVELOPMENT_TEAM = 7R5ZEU67FQ;
ENABLE_HARDENED_RUNTIME = YES;
INFOPLIST_FILE = "PrivilegesHelper/PrivilegesHelper-Info.plist";
+ MARKETING_VERSION = 1.5.1;
OTHER_LDFLAGS = (
- "-sectcreate",
- __TEXT,
- __info_plist,
- "PrivilegesHelper/PrivilegesHelper-Info.plist",
"-sectcreate",
__TEXT,
__launchd_plist,
@@ -1031,15 +1029,13 @@
isa = XCBuildConfiguration;
buildSettings = {
CODE_SIGN_IDENTITY = "Developer ID Application";
- CURRENT_PROJECT_VERSION = 1.5.0;
+ CREATE_INFOPLIST_SECTION_IN_BINARY = YES;
+ CURRENT_PROJECT_VERSION = 1;
DEVELOPMENT_TEAM = 7R5ZEU67FQ;
ENABLE_HARDENED_RUNTIME = YES;
INFOPLIST_FILE = "PrivilegesHelper/PrivilegesHelper-Info.plist";
+ MARKETING_VERSION = 1.5.1;
OTHER_LDFLAGS = (
- "-sectcreate",
- __TEXT,
- __info_plist,
- "PrivilegesHelper/PrivilegesHelper-Info.plist",
"-sectcreate",
__TEXT,
__launchd_plist,
@@ -1057,10 +1053,11 @@
CODE_SIGN_ENTITLEMENTS = "";
CODE_SIGN_IDENTITY = "Developer ID Application";
CREATE_INFOPLIST_SECTION_IN_BINARY = YES;
- CURRENT_PROJECT_VERSION = 1.5.0;
+ CURRENT_PROJECT_VERSION = 1;
DEVELOPMENT_TEAM = 7R5ZEU67FQ;
ENABLE_HARDENED_RUNTIME = YES;
INFOPLIST_FILE = "$(SRCROOT)/PrivilegesCLI/PrivilegesCLI-Info.plist";
+ MARKETING_VERSION = 1.5.1;
OTHER_LDFLAGS = "";
PRODUCT_BUNDLE_IDENTIFIER = corp.sap.privileges.cli;
PRODUCT_NAME = "$(TARGET_NAME)";
@@ -1074,10 +1071,11 @@
CODE_SIGN_ENTITLEMENTS = "";
CODE_SIGN_IDENTITY = "Developer ID Application";
CREATE_INFOPLIST_SECTION_IN_BINARY = YES;
- CURRENT_PROJECT_VERSION = 1.5.0;
+ CURRENT_PROJECT_VERSION = 1;
DEVELOPMENT_TEAM = 7R5ZEU67FQ;
ENABLE_HARDENED_RUNTIME = YES;
INFOPLIST_FILE = "$(SRCROOT)/PrivilegesCLI/PrivilegesCLI-Info.plist";
+ MARKETING_VERSION = 1.5.1;
OTHER_LDFLAGS = "";
PRODUCT_BUNDLE_IDENTIFIER = corp.sap.privileges.cli;
PRODUCT_NAME = "$(TARGET_NAME)";
@@ -1121,7 +1119,7 @@
GCC_WARN_UNUSED_FUNCTION = YES;
INFOPLIST_FILE = PrivilegesTile/Info.plist;
INSTALL_PATH = "$(LOCAL_LIBRARY_DIR)/Bundles";
- MARKETING_VERSION = 1.5.0;
+ MARKETING_VERSION = 1.5.1;
OTHER_LDFLAGS = (
"-framework",
AppKit,
@@ -1173,7 +1171,7 @@
GCC_WARN_UNUSED_FUNCTION = YES;
INFOPLIST_FILE = PrivilegesTile/Info.plist;
INSTALL_PATH = "$(LOCAL_LIBRARY_DIR)/Bundles";
- MARKETING_VERSION = 1.5.0;
+ MARKETING_VERSION = 1.5.1;
OTHER_LDFLAGS = (
"-framework",
AppKit,
diff --git a/source/Privileges/Info.plist b/source/Privileges/Info.plist
index 207cca9..24079b7 100644
--- a/source/Privileges/Info.plist
+++ b/source/Privileges/Info.plist
@@ -19,7 +19,7 @@
CFBundleSignature
????
CFBundleVersion
- 1093
+ 1118
LSApplicationCategoryType
public.app-category.utilities
LSMinimumSystemVersion
diff --git a/source/PrivilegesCLI/PrivilegesCLI-Info.plist b/source/PrivilegesCLI/PrivilegesCLI-Info.plist
index 470dfb2..6509929 100644
--- a/source/PrivilegesCLI/PrivilegesCLI-Info.plist
+++ b/source/PrivilegesCLI/PrivilegesCLI-Info.plist
@@ -8,7 +8,9 @@
6.0
CFBundleName
PrivilegesCLI
+ CFBundleShortVersionString
+ $(MARKETING_VERSION)
CFBundleVersion
- 1.5.0
+ $(CURRENT_PROJECT_VERSION)
diff --git a/source/PrivilegesHelper/PrivilegesHelper-Info.plist b/source/PrivilegesHelper/PrivilegesHelper-Info.plist
index 4a1fbd5..6aee9c9 100644
--- a/source/PrivilegesHelper/PrivilegesHelper-Info.plist
+++ b/source/PrivilegesHelper/PrivilegesHelper-Info.plist
@@ -8,11 +8,13 @@
6.0
CFBundleName
PrivilegesHelper
+ CFBundleShortVersionString
+ $(MARKETING_VERSION)
CFBundleVersion
- 1.5.0
+ $(CURRENT_PROJECT_VERSION)
SMAuthorizedClients
- anchor apple generic and identifier "corp.sap.privileges.xpc" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "7R5ZEU67FQ")
+ anchor apple generic and identifier "corp.sap.privileges.xpc" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "7R5ZEU67FQ")
diff --git a/source/PrivilegesHelper/PrivilegesHelper.m b/source/PrivilegesHelper/PrivilegesHelper.m
index 3b6d424..0cc1f63 100644
--- a/source/PrivilegesHelper/PrivilegesHelper.m
+++ b/source/PrivilegesHelper/PrivilegesHelper.m
@@ -71,12 +71,15 @@ - (BOOL)listener:(NSXPCListener *)listener shouldAcceptNewConnection:(NSXPCConne
BOOL acceptConnection = NO;
- // see how we have been signed and make sure only processes with the same signing authority can connect
+ // see how we have been signed and make sure only processes with the same signing authority can connect.
+ // additionally the calling application must have the same version number as this helper and must be one
+ // of the components using a bundle identifier starting with "corp.sap.privileges"
NSError *error = nil;
NSString *signingAuth = [MTAuthCommon getSigningAuthorityWithError:&error];
+ NSString *requiredVersion = [self helperVersion];
if (signingAuth) {
- NSString *reqString = [NSString stringWithFormat:@"anchor trusted and certificate leaf [subject.CN] = \"%@\"", signingAuth];
+ NSString *reqString = [NSString stringWithFormat:@"anchor trusted and certificate leaf [subject.CN] = \"%@\" and info [CFBundleShortVersionString] >= \"%@\" and info [CFBundleIdentifier] = corp.sap.privileges*", signingAuth, requiredVersion];
SecTaskRef taskRef = SecTaskCreateWithAuditToken(NULL, ((ExtendedNSXPCConnection*)newConnection).auditToken);
if (taskRef) {
@@ -173,7 +176,12 @@ - (void)connectWithEndpointReply:(void (^)(NSXPCListenerEndpoint *))reply
- (void)helperVersionWithReply:(void(^)(NSString *version))reply
{
- reply([[NSBundle mainBundle] objectForInfoDictionaryKey:@"CFBundleVersion"]);
+ reply([self helperVersion]);
+}
+
+- (NSString*)helperVersion
+{
+ return [[NSBundle mainBundle] objectForInfoDictionaryKey:@"CFBundleShortVersionString"];
}
- (void)changeAdminRightsForUser:(NSString*)userName
diff --git a/source/PrivilegesTile/PrivilegesTile.m b/source/PrivilegesTile/PrivilegesTile.m
index d779a78..9726460 100644
--- a/source/PrivilegesTile/PrivilegesTile.m
+++ b/source/PrivilegesTile/PrivilegesTile.m
@@ -150,7 +150,8 @@ - (NSMenu*)dockMenu
if (([_userDefaults objectIsForcedForKey:@"EnforcePrivileges"] && ([[_userDefaults stringForKey:@"EnforcePrivileges"] isEqualToString:@"admin"] || [[_userDefaults stringForKey:@"EnforcePrivileges"] isEqualToString:@"user"] || [[_userDefaults stringForKey:@"EnforcePrivileges"] isEqualToString:@"none"])) ||
(limitToUser && ![[limitToUser lowercaseString] isEqualToString:_currentUser]) ||
- (!limitToUser && limitToGroup && ![MTIdentity getGroupMembershipForUser:_currentUser groupName:limitToGroup error:nil]) || reasonRequired) {
+ (!limitToUser && limitToGroup && ![MTIdentity getGroupMembershipForUser:_currentUser groupName:limitToGroup error:nil]) ||
+ ([_userDefaults objectIsForcedForKey:@"RequireAuthentication"] && [_userDefaults boolForKey:@"RequireAuthentication"]) || reasonRequired) {
[privilegesItem setEnabled:NO];
}
@@ -187,27 +188,11 @@ - (void)togglePrivileges
if (!userError) {
- if (![_userDefaults objectIsForcedForKey:@"EnforcePrivileges"] && [_userDefaults boolForKey:@"RequireAuthentication"] && !isAdmin) {
-
- [MTIdentity authenticateUserWithReason:NSLocalizedStringFromTableInBundle(@"authenticationText", @"Localizable", _pluginBundle, nil)
- completionHandler:^(BOOL success, NSError *error) {
-
- if (success) {
- dispatch_async(dispatch_get_main_queue(), ^{
- [NSTask launchedTaskWithLaunchPath:self->_cliPath arguments:[NSArray arrayWithObject:@"--add"]];
- [self startToggleTimer];
- });
- }
- }];
-
- } else {
+ [NSTask launchedTaskWithLaunchPath:_cliPath
+ arguments:(isAdmin) ? [NSArray arrayWithObject:@"--remove"] : [NSArray arrayWithObject:@"--add"]
+ ];
- [NSTask launchedTaskWithLaunchPath:_cliPath
- arguments:(isAdmin) ? [NSArray arrayWithObject:@"--remove"] : [NSArray arrayWithObject:@"--add"]
- ];
-
- if (!isAdmin && ![_userDefaults objectIsForcedForKey:@"EnforcePrivileges"]) { [self startToggleTimer]; }
- }
+ if (!isAdmin && !([_userDefaults objectIsForcedForKey:@"EnforcePrivileges"] && ([[_userDefaults stringForKey:@"EnforcePrivileges"] isEqualToString:@"admin"] || [[_userDefaults stringForKey:@"EnforcePrivileges"] isEqualToString:@"user"] || [[_userDefaults stringForKey:@"EnforcePrivileges"] isEqualToString:@"none"]))) { [self startToggleTimer]; }
}
}
diff --git a/source/PrivilegesXPC/Info.plist b/source/PrivilegesXPC/Info.plist
index d9aa5d3..bd31358 100644
--- a/source/PrivilegesXPC/Info.plist
+++ b/source/PrivilegesXPC/Info.plist
@@ -25,14 +25,14 @@
SMPrivilegedExecutables
corp.sap.privileges.helper
- anchor apple generic and identifier "corp.sap.privileges.helper" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "7R5ZEU67FQ")
+ anchor apple generic and identifier "corp.sap.privileges.helper" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "7R5ZEU67FQ")
XPCService
- ServiceType
- Application
JoinExistingSession
+ ServiceType
+ Application
diff --git a/source/PrivilegesXPC/PrivilegesXPC.m b/source/PrivilegesXPC/PrivilegesXPC.m
index 2af3235..2be18dc 100644
--- a/source/PrivilegesXPC/PrivilegesXPC.m
+++ b/source/PrivilegesXPC/PrivilegesXPC.m
@@ -88,12 +88,15 @@ - (BOOL)listener:(NSXPCListener *)listener shouldAcceptNewConnection:(NSXPCConne
BOOL acceptConnection = NO;
- // see how we have been signed and make sure only processes with the same signing authority can connect
+ // see how we have been signed and make sure only processes with the same signing authority can connect.
+ // additionally the calling application must have the same version number as this helper and must be one
+ // of the components using a bundle identifier starting with "corp.sap.privileges"
NSError *error = nil;
NSString *signingAuth = [MTAuthCommon getSigningAuthorityWithError:&error];
+ NSString *requiredVersion = [[NSBundle bundleForClass:[self class]] objectForInfoDictionaryKey:@"CFBundleShortVersionString"];
if (signingAuth) {
- NSString *reqString = [NSString stringWithFormat:@"anchor trusted and certificate leaf [subject.CN] = \"%@\"", signingAuth];
+ NSString *reqString = [NSString stringWithFormat:@"anchor trusted and certificate leaf [subject.CN] = \"%@\" and info [CFBundleShortVersionString] >= \"%@\" and info [CFBundleIdentifier] = corp.sap.privileges*", signingAuth, requiredVersion];
SecTaskRef taskRef = SecTaskCreateWithAuditToken(NULL, ((ExtendedNSXPCConnection*)newConnection).auditToken);
if (taskRef) {