New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

macOS preferences not checking the by-host level(part 2) #3942

Open
groob opened this Issue Nov 17, 2017 · 2 comments

Comments

Projects
None yet
3 participants
@groob
Contributor

groob commented Nov 17, 2017

This is a followup from #3501, which looked fixed in #3681 but values are still not reported correctly.

Take this domain/key as an example:

com.apple.notificationcenterui / doNotDisturb

The doNotDisturb key will flip to true/false depending on the notification center flag.
screenshot 2017-11-17 18 21 16

I can observe this change with CFPreferences by using

    from Foundation import (CFPreferencesSetValue,
                            kCFPreferencesCurrentUser,
                            kCFPreferencesCurrentHost,
                            CFPreferencesSynchronize,
                            CFPreferencesCopyAppValue)
    from SystemConfiguration import SCDynamicStoreCopyConsoleUser
    cfuser = SCDynamicStoreCopyConsoleUser(None, None, None)
    consoleUser = cfuser[0]
    userUID = pwd.getpwnam(consoleUser).pw_uid
    os.setuid(userUID)
    bundleID = 'com.apple.notificationcenterui'
    doNotDisturb = CFPreferencesCopyAppValue('doNotDisturb', bundleID)

or the handy script form the original issue

python fancy_defaults_read.py com.apple.notificationcenterui doNotDisturb
doNotDisturb: True
Type: boolean
Defined: /Users/victor/Library/Preferences/ByHost/com.apple.notificationcenterui.xxxx.plist

Now If I run osqueryi as myself, I also get the value as true

osquery> select * from preferences where domain="com.apple.notificationcenterui" AND key="doNotDisturb" and username="victor";
+--------------------------------+--------------+--------+-------+--------+----------+---------+
| domain                         | key          | subkey | value | forced | username | host    |
+--------------------------------+--------------+--------+-------+--------+----------+---------+
| com.apple.notificationcenterui | doNotDisturb |        | true  | 0      | victor   | current |
+--------------------------------+--------------+--------+-------+--------+----------+---------+

but running as root shows the incorrect value.

~ ❯❯❯ sudo osqueryi
Using a virtual database. Need help, type '.help'
osquery> select * from preferences where domain="com.apple.notificationcenterui" AND key="doNotDisturb" and username="victor";
+--------------------------------+--------------+--------+-------+--------+----------+---------+
| domain                         | key          | subkey | value | forced | username | host    |
+--------------------------------+--------------+--------+-------+--------+----------+---------+
| com.apple.notificationcenterui | doNotDisturb |        | false | 0      | victor   | current |
+--------------------------------+--------------+--------+-------+--------+----------+---------+
@groob

This comment has been minimized.

Show comment
Hide comment
@groob

groob Nov 17, 2017

Contributor

Looks related to the isUserAdmin() function here?

const auto* user = (username != nullptr)
? &username
: (isUserAdmin()) ? &kCFPreferencesAnyUser
: &kCFPreferencesCurrentUser;

Should be currentUser even if username is an admin.

Contributor

groob commented Nov 17, 2017

Looks related to the isUserAdmin() function here?

const auto* user = (username != nullptr)
? &username
: (isUserAdmin()) ? &kCFPreferencesAnyUser
: &kCFPreferencesCurrentUser;

Should be currentUser even if username is an admin.

@theopolis

This comment has been minimized.

Show comment
Hide comment
@theopolis

theopolis Dec 17, 2017

Contributor

@groob, sorry for letting this slide for a while.

I think the lines you've referenced are OK. It should only select current user if a username is not provided to the method. In your use case you are sending 'victor'.

When you run your handy script, are you getting the same results as your user and as root?

Contributor

theopolis commented Dec 17, 2017

@groob, sorry for letting this slide for a while.

I think the lines you've referenced are OK. It should only select current user if a username is not provided to the method. In your use case you are sending 'victor'.

When you run your handy script, are you getting the same results as your user and as root?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment