Apple’s Worldwide Developers Conference returns June 10, 2024

Learn more

Add to your calendar

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: - Krzysztof -
- Krzysztof - Author
User level: Level 1
7 points

xcscredd(186) deny file-read-metadata /Users

Hi


I chacked my Systemlog, that was created over nicht. There are a lot of logs which i try to decrypt. The first on eis this one.


Oct 28 04:27:47 server kernel[0]: Sandbox: xcscredd(186) deny file-read-metadata /Users

Oct 28 04:27:47 --- last message repeated 16 times ---

Oct 28 04:27:47 server.mydomain.com sandboxd[71] ([186]): xcscredd(186) deny file-read-metadata /Users

Oct 28 04:27:49 --- last message repeated 7 times ---


It's comming every 13 minutes. I googled a little bit and find out, that xscertd is a certificate signing deamon.


The deamon config is located in /System/Library/LaunchDaemons/. It has a socket config, what means, that the service is started, when it is needed. As far as I know.


In /usr/share/sandbox/com.apple.xscertd.sb is no entry for the /User folder.


Should I enter a value like


(literal "/Users") in the allow file-read-metadata section?


Can someone tell me what the certificate signing deamon wants in the users folder?


And what activates every 13 minutes the certificate signing deamon which needs to read the file metadta in the users folder?

Mac mini, OS X Mavericks (10.9), Server Profile Manager Payloads

Posted on Oct 28, 2013 2:38 AM

Reply
40 replies
User profile for user: Leland Wallace
Leland Wallace
User level: Level 3
639 points

Oct 29, 2013 2:35 PM in response to ebolaseph

From a "just get this working perspective" probably, but from a security perspective opening up permissions that you don't need is usually a bad idea. I mentioned one theory as to why xcscredd may be looking at /Users in an earlier post (I think its the keychain code responding to keychain notifications).


Its likely that once you allowed /Users it would ask for /Users/logged_in_user_name, etc... down to the login.keychain file. Its a slippery slope, and in the end, the most important data on most users computers is in their home folders under /Users.


steps up on the soapbox

Creating a good sandbox/seatbelt profile is hard. Not only do you have to deal with the file/resource acceses of your program, but also all the private accesses made by all the frameworks you are using. If you develop for the App store, the default sandbox profile is pretty complete, but there's still a risk that something may get by. Accesses that cause problems are usually caught in testing, but ones that are "benign" (e.g. not good from a security point of view, but not otherwise problematic) are harder to catch.

steps back down


HTH

- Leland

Reply
User profile for user: - Krzysztof -
- Krzysztof - Author
User level: Level 1
7 points

Oct 31, 2013 12:52 PM in response to 吴承峻

1. Open the terminal

2. type

sudo vim /Applications/Server.app/Contents/ServerRoot/System/Library/Sandbox/Profiles/xcscredd.sb

3. enter 

(deny file-read*
   (subpath "/Users")
   (with no-log)
)

into the file


To edit the file you have to press i.


4. The press ESC and then :wq (Enter)


But you shouldn't do things like this, if even don't know how to change a text file.

It's on your own risk.

Reply
User profile for user: dajamesNX
dajamesNX
User level: Level 1
0 points

Nov 4, 2013 9:43 AM in response to - Krzysztof -

Thanks for that. I am running a 10.9 and Server on a 2011 iMac. I am in the process of testing a deployment server for our College. I am attempting to build this up with DeployStudio and eventuall Reposado for deployment and update management for Macs we purchase for faculty and staff.


I restarted the machine and couldn't access my mouse because Bluetooth hadn't started. I attempted to bring up the Bluetooth settings with Alfred to check whether anything had changed. But no system preferences could be launched. I was otherwise able to launch a terminal and launch 'top' and launched 'Activity Monitor.'


In Top, process 'cma' just stayed up there and did not budge. This appears to be part of the McAfee 2.0 setup. (Yes, antivirus is our policy, even for Macs.) I turned off McAfee and restarted. On restart, even with McAfee back on everything was working, bluetooth and all.


On checking the console, I followed the xcscredd error codes through Google to here. I implemented this change in the xcscredd.sb per this hack. So far, so good.


Ð

Reply

xcscredd(186) deny file-read-metadata /Users

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up