Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

macOS preferences not checking the by-host level(part 2) #3942

Open
groob opened this issue Nov 17, 2017 · 2 comments
Open

macOS preferences not checking the by-host level(part 2) #3942

groob opened this issue Nov 17, 2017 · 2 comments

Comments

@groob
Copy link
Member

@groob groob commented Nov 17, 2017

This is a followup from #3501, which looked fixed in #3681 but values are still not reported correctly.

Take this domain/key as an example:

com.apple.notificationcenterui / doNotDisturb

The doNotDisturb key will flip to true/false depending on the notification center flag.
screenshot 2017-11-17 18 21 16

I can observe this change with CFPreferences by using

    from Foundation import (CFPreferencesSetValue,
                            kCFPreferencesCurrentUser,
                            kCFPreferencesCurrentHost,
                            CFPreferencesSynchronize,
                            CFPreferencesCopyAppValue)
    from SystemConfiguration import SCDynamicStoreCopyConsoleUser
    cfuser = SCDynamicStoreCopyConsoleUser(None, None, None)
    consoleUser = cfuser[0]
    userUID = pwd.getpwnam(consoleUser).pw_uid
    os.setuid(userUID)
    bundleID = 'com.apple.notificationcenterui'
    doNotDisturb = CFPreferencesCopyAppValue('doNotDisturb', bundleID)

or the handy script form the original issue

python fancy_defaults_read.py com.apple.notificationcenterui doNotDisturb
doNotDisturb: True
Type: boolean
Defined: /Users/victor/Library/Preferences/ByHost/com.apple.notificationcenterui.xxxx.plist

Now If I run osqueryi as myself, I also get the value as true

osquery> select * from preferences where domain="com.apple.notificationcenterui" AND key="doNotDisturb" and username="victor";
+--------------------------------+--------------+--------+-------+--------+----------+---------+
| domain                         | key          | subkey | value | forced | username | host    |
+--------------------------------+--------------+--------+-------+--------+----------+---------+
| com.apple.notificationcenterui | doNotDisturb |        | true  | 0      | victor   | current |
+--------------------------------+--------------+--------+-------+--------+----------+---------+

but running as root shows the incorrect value.

~ ❯❯❯ sudo osqueryi
Using a virtual database. Need help, type '.help'
osquery> select * from preferences where domain="com.apple.notificationcenterui" AND key="doNotDisturb" and username="victor";
+--------------------------------+--------------+--------+-------+--------+----------+---------+
| domain                         | key          | subkey | value | forced | username | host    |
+--------------------------------+--------------+--------+-------+--------+----------+---------+
| com.apple.notificationcenterui | doNotDisturb |        | false | 0      | victor   | current |
+--------------------------------+--------------+--------+-------+--------+----------+---------+
@groob
Copy link
Member Author

@groob groob commented Nov 17, 2017

Looks related to the isUserAdmin() function here?

https://github.com/facebook/osquery/blob/ec2fc1a0c1d6b7bba4efa30bc8b98d7f2cfb5be6/osquery/tables/system/darwin/preferences.cpp#L137-L140

Should be currentUser even if username is an admin.

@theopolis
Copy link
Member

@theopolis theopolis commented Dec 17, 2017

@groob, sorry for letting this slide for a while.

I think the lines you've referenced are OK. It should only select current user if a username is not provided to the method. In your use case you are sending 'victor'.

When you run your handy script, are you getting the same results as your user and as root?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants