Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

taskgated(8) [osx man page]

taskgated(8)						    BSD System Manager's Manual 					      taskgated(8)

NAME

     taskgated -- task_for_pid access control daemon

SYNOPSIS

     taskgated [-ps] [-t timeout] [-i pid]

DESCRIPTION

     taskgated is a system daemon that implements a policy for the task_for_pid system service.  When the kernel is asked for the task port of a
     process, and preliminary access control checks pass, it invokes this daemon (via launchd) to make the decision.

OPTIONS

     -p       Accepts the old (Tiger) convention that a process with a primary effective group of procmod or procview is allowed to get task
	      ports. Without this option, this legacy mode is not supported.

     -s       Allow signed applications marked as "safe" to have free access to task ports, without having to pass an authorization check. Note
	      that such callers must be marked both allowed and safe.

     -t timeout
	      The daemon will quit after that many seconds of inactivity. It will be relaunched by launchd as needed. A timeout of zero can be
	      specified to make the daemon quit after servicing each request, but a small positive timeout is better for performance.

     -i pid   Inject the service port of taskgated into the process with the given pid, rather than relying on launchd to install it system-wide.
	      This is for testing only, and requires the launchd configuration for taskgated to be removed.

AUTHORIZATION RIGHTS

     system.privilege.taskport	Authorization right used to check access of allowed (but not safe) callers.

INFO KEYS

     SecTaskAccess  A value of "allowed" is required for any program that wants access to task ports. A value of "safe" bypasses authorization
		    checks if so configured.  Code must be signed by any system-trusted signing authority.

FILES

     /etc/authorization  to configure the authorization used.
     /System/Library/LaunchDaemons/com.apple.taskgated
			 startup configuration file for taskgated

SEE ALSO

     security(1), launchd(8)

HISTORY

     taskgated was first introduced in Mac OS 10.5 (Leopard).

     Certain software updates of Mac OS 10.4 (Tiger) introduced the convention requiring membership in the procmod or procview groups to control
     task port access. Before that, any process could obtain the task port of any other process with the same user-id.

Darwin								   May 31, 2019 							    Darwin

Check Out this Related Man Page

rpcbind(8)						    BSD System Manager's Manual 						rpcbind(8)

NAME

     rpcbind -- portmap

SYNOPSIS

     rpcbind [-d] [-v] [-h bindip]

DESCRIPTION

     Rpcbind is a server that converts RPC program numbers into DARPA protocol port numbers.  It is a replacement for the older portmap program.

     rpcbind supports the original version 2 portmap protocol and in addition supports the newer version 3 and version 4 protocols that are neces-
     sary for IPv6 support.  It must be running on the server in order to make RPC calls.

     When an RPC server is started, it will tell rpcbind what address it is listening to, and what RPC program numbers it is prepared to serve.
     When a client wishes to make an RPC call to a given program number, it will first contact rpcbind on the server machine to determine the
     address where RPC packets should be sent.

     rpcbind is a launchd service. When the first server tries to register with rpcbind the RPC library will contact launchd and arrange for
     rpcbind to be started.  Note it is no longer possible to run rpcbind from the command line.  rpcbind logs errors and information using
     asl(3).  rpcbind uses hosts_access(5) for access control; note access control patterns may only reference IP addresses.

     The following options are available and will need to be added to the rpcbind plist file.

     -d      causes rpcbind errors and debugging information to be printed to the standard error output via asl_log. This option is no longer very
	     useful.

     -v      Enable verbose logging of access control checks.

     -h      Specify specific IP addresses to bind to for UDP requests.  This option may be specified multiple times and is typically necessary
	     when running on a multi-homed host.  If no -h option is specified, rpcbind will bind to INADDR_ANY, which could lead to problems on a
	     multi-homed host due to rpcbind returning a UDP packet from a different IP address than it was sent to.  Note that when specifying IP
	     addresses with -h, rpcbind will automatically add 127.0.0.1 to the list.

FILES

     /System/Library/LaunchDaemons/com.apple.rpcbind.plist  launchd.plist(5) file for rpcbind.	Options should be added here.

     /usr/share/sandbox/rpcbind.sb			    sandbox(7) file for rpcbind.

SEE ALSO

     hosts_access(5), launchd.plist(5), launchd(8), rpcinfo(8)

BUGS

     If rpcbind crashes, all servers must be restarted.

     Version 4 getstat procedure is not implemented and will always return 0 and null values.  RPC_SYSTEMERROR.

     -h option is not supported for IPv6.

Darwin								   June 1, 2019 							    Darwin
Man Page