chore: ensure downloaded slim binary version matches server #211
+53
−9
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Warning This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
This stack of pull requests is managed by Graphite. Learn more about stacking. |
|
Not directly related but @jdomeracki-coder should we also implement binary verification in Coderd Desktop? cc: @deansheather |
ethanndickson
force-pushed
the
ethan/validate-slim-binary-version
branch
from
929c831 to
262c4d1
Compare
|
|
||
| let version: String | ||
| do { | ||
| let versionOutput = try await Subprocess.data(for: [binaryPath.path, "version", "--output=json"]) |
There was a problem hiding this comment.
Any way to drop privileges for this subprocess? We are root after all...
There was a problem hiding this comment.
This is possible with a combination of launchctl asuser <uid> and sudo -u [<uid>|<username>]:
sudo -u '#501' launchctl asuser 501 /usr/bin/whoami
One switches the UID, the other the (macOS specific) execution context.
Unfortunately,
$ sudo -u nobody launchctl asuser -2 /usr/bin/whoami
Could not switch to audit session 0x187c3: 1: Operation not permitted
does not work, and so we'd need to determine the currently logged in user in some other way.
501 is the first created user on the machine, and on corporate devices this will likely be some admin user.
There was a problem hiding this comment.
It's fine to execute it as root if it's too difficult, the signature is still ours so the risk is small
ethanndickson
force-pushed
the
ethan/slim-over-dylib
branch
from
e9e15db to
c7602c2
Compare
ethanndickson
force-pushed
the
ethan/validate-slim-binary-version
branch
from
262c4d1 to
a7b16ea
Compare
ethanndickson
force-pushed
the
ethan/slim-over-dylib
branch
from
c7602c2 to
f008801
Compare
ethanndickson
force-pushed
the
ethan/validate-slim-binary-version
branch
from
a7b16ea to
9695afe
Compare
ethanndickson
force-pushed
the
ethan/slim-over-dylib
branch
from
f008801 to
847006f
Compare
ethanndickson
force-pushed
the
ethan/validate-slim-binary-version
branch
2 times, most recently
from
c229789 to
a723a9a
Compare
ethanndickson
force-pushed
the
ethan/slim-over-dylib
branch
from
847006f to
d9255bc
Compare
ethanndickson
force-pushed
the
ethan/validate-slim-binary-version
branch
from
a723a9a to
ffe7d2e
Compare
ethanndickson
force-pushed
the
ethan/slim-over-dylib
branch
from
d9255bc to
4f29ff3
Compare
ethanndickson
force-pushed
the
ethan/validate-slim-binary-version
branch
from
ffe7d2e to
ab9ca27
Compare
ethanndickson
force-pushed
the
ethan/slim-over-dylib
branch
from
4f29ff3 to
5840bce
Compare
ethanndickson
force-pushed
the
ethan/validate-slim-binary-version
branch
from
ab9ca27 to
50e4a63
Compare
ethanndickson
force-pushed
the
ethan/slim-over-dylib
branch
from
5840bce to
3f7f6b6
Compare
deansheather
approved these changes
Aug 4, 2025
ethanndickson
force-pushed
the
ethan/validate-slim-binary-version
branch
from
50e4a63 to
8fb9382
Compare
ethanndickson
force-pushed
the
ethan/slim-over-dylib
branch
from
3f7f6b6 to
42b8f0b
Compare
ethanndickson
force-pushed
the
ethan/validate-slim-binary-version
branch
from
8fb9382 to
431149f
Compare
ethanndickson
force-pushed
the
ethan/slim-over-dylib
branch
from
42b8f0b to
b716554
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Relates to #201.
After we've validated the binary signature, we exec
coder version --output=jsonto validate the version of the downloaded binary matches the server. This is done to prevent against downgrade attacks, and to match the checking we had on the dylib before.Additionally, this PR also ensures the certificate used to sign the binary is part of an Apple-issued certificate chain.
I assumed we were checking this before (by default) but we weren't.
Though we weren't previously checking it, we were only ever downloading and executing a dylib.
My understanding is that macOS won't execute a dylib unless the executing process and the dylib were signed by the same Apple developer team (at least in a sandboxed process, as is the Network Extension).
Only now, when
posix_spawning the slim binary from an unsandboxed LaunchDaemon, is this check absolutely necessary.