Running headless app as root for handling VPN and launching microservices

Question

Created 2w

Replies 5

Boosts 0

Participants 2

Hello to all I have coded in swift a headless app, that launches 3 go microservices and itself. The app listens via unix domain sockets for commands from the microservices and executes different VPN related operations, using the NEVPNManager extension. Because there are certificates and VPN operations, the headless app and two Go microservices must run as root.

The app and microservices run perfectly when I run in Xcode launching the swift app as root. However, I have been trying for some weeks already to modify the application so at startup it requests the password and runs as root or something similar, so all forked apps also run as root. I have not succeeded. I have tried many things, the last one was using SMApp but as the swift app is a headless app and not a CLI command app it can not be embedded. And CLI apps can not get the VPN entitlements. Can anybody please give me some pointers how can I launch the app so it requests the password and runs as root in background or what is the ideal framework here? thank you again.

Boost

Answer 1

DTS Engineer OP

Apple

1w

Does your product include a Network Extension provider that implements a custom VPN protocol? Or are you configuring the built-in VPN protocols using the Personal VPN API?

And if you do have an NE provider, is it packaged as an appex or a sysex?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

pepipox OP

1w

Hi Quinn Thanks for the reply.

My application configures the built-in VPN protocols using the Personal VPN API. This is in Swift. Inside the Go apps, there are some calls to "security" to handle certs. The swift app runs as a headless app, no need for a GUI.

0

Answer 3

DTS Engineer OP

Apple

1w

using the Personal VPN API

Thanks for confirming that.

The swift app runs as a headless app, no need for a GUI.

OK. But things are not that simple on macOS. A program runs in an execution context based on how it’s launched. For example, a command-line tool run from Terminal gets a very different execution context from that same command-line tool run as a launchd daemon. And this execution context is critical when you start doing things like modifying the keychain (which is what you’re doing when you spawn the security tool).

We discuss this in gory detail in TN2083 Daemons and Agents. It’s very (very very)-: old, but the core concepts are still valid.

So what sort of user experience are you aiming for here? Specifically, are you expecting this stuff to function when no one is logged in to the Mac?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 4

pepipox OP

1w

Hi Quinn

For your specific question: No, I do not expect this to work with no one logged.

My idea is that the user launches some app, this app requests the Device password so it can execute with elevated priviliedges. Then the headless app, the Go microservices while listening to some commands given through another GUI we implemented.

The whole concept already works if launched from Xcode as root. It is launching as a normal user by clicking some icon or starting an app that has proven elusive.

0

Answer 5

DTS Engineer OP

Apple

1w

The whole concept already works if launched from Xcode as root.

Running code as root from Xcode is very tricky. It puts you in a mixed execution context, where you’re running as user ID 0 but your non-BSD execution context is that of the GUI login session. Weird things happen in that case. In this case those weird things seem to be beneficial, but in reality they’re just misleading )-:

My idea is that the user launches some app

If you have a GUI app and you’re using Personal VPN, why not call NEVPNManager directly from it. Why do you need these extra running-as-root bits?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0