Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

taskgated(8) [osx man page]

taskgated(8)						    BSD System Manager's Manual 					      taskgated(8)

NAME

     taskgated -- task_for_pid access control daemon

SYNOPSIS

     taskgated [-ps] [-t timeout] [-i pid]

DESCRIPTION

     taskgated is a system daemon that implements a policy for the task_for_pid system service.  When the kernel is asked for the task port of a
     process, and preliminary access control checks pass, it invokes this daemon (via launchd) to make the decision.

OPTIONS

     -p       Accepts the old (Tiger) convention that a process with a primary effective group of procmod or procview is allowed to get task
	      ports. Without this option, this legacy mode is not supported.

     -s       Allow signed applications marked as "safe" to have free access to task ports, without having to pass an authorization check. Note
	      that such callers must be marked both allowed and safe.

     -t timeout
	      The daemon will quit after that many seconds of inactivity. It will be relaunched by launchd as needed. A timeout of zero can be
	      specified to make the daemon quit after servicing each request, but a small positive timeout is better for performance.

     -i pid   Inject the service port of taskgated into the process with the given pid, rather than relying on launchd to install it system-wide.
	      This is for testing only, and requires the launchd configuration for taskgated to be removed.

AUTHORIZATION RIGHTS

     system.privilege.taskport	Authorization right used to check access of allowed (but not safe) callers.

INFO KEYS

     SecTaskAccess  A value of "allowed" is required for any program that wants access to task ports. A value of "safe" bypasses authorization
		    checks if so configured.  Code must be signed by any system-trusted signing authority.

FILES

     /etc/authorization  to configure the authorization used.
     /System/Library/LaunchDaemons/com.apple.taskgated
			 startup configuration file for taskgated

SEE ALSO

     security(1), launchd(8)

HISTORY

     taskgated was first introduced in Mac OS 10.5 (Leopard).

     Certain software updates of Mac OS 10.4 (Tiger) introduced the convention requiring membership in the procmod or procview groups to control
     task port access. Before that, any process could obtain the task port of any other process with the same user-id.

Darwin								   May 31, 2019 							    Darwin

Check Out this Related Man Page

launchd(8)						    BSD System Manager's Manual 						launchd(8)

NAME

     launchd -- System wide and per-user daemon/agent manager

SYNOPSIS

     launchd [-d] [-D] [-s] [-S SessionType] [-- command [args ...]]

DESCRIPTION

     launchd manages processes, both for the system as a whole and for individual users.  The primary and preferred interface to launchd is via
     the launchctl(1) tool which (among other options) allows the user or administrator to load and unload jobs.  Where possible, it is preferable
     for jobs to launch on demand based on criteria specified in their respective configuration files.

     During boot launchd is invoked by the kernel to run as the first process on the system and to further bootstrap the rest of the system.

     You cannot invoke launchd directly.

ENVIRONMENTAL VARIABLES

     LAUNCHD_SOCKET
	      This variable is exported when invoking a command via the launchd command line. It informs launchctl how to find the correct launchd
	      to talk to.

NOTES

     In Darwin, the canonical way to launch a daemon is through launchd as opposed to more traditional mechanisms or mechanisms provided in ear-
     lier versions of Mac OS X. These alternate methods should be considered deprecated and not suitable for new projects.

     In the launchd lexicon, a "daemon" is, by definition, a system-wide service of which there is one instance for all clients. An "agent" is a
     service that runs on a per-user basis. Daemons should not attempt to display UI or interact directly with a user's login session. Any and all
     work that involves interacting with a user should be done through agents.

     If you wish your service to run as a certain user, in that user's environment, making it a launchd agent is the ONLY supported means of
     accomplishing this on Mac OS X. In other words, it is not sufficient to perform a setuid(2) to become a user in the truest sense on Mac OS X.

FILES

     ~/Library/LaunchAgents	    Per-user agents provided by the user.
     /Library/LaunchAgents	    Per-user agents provided by the administrator.
     /Library/LaunchDaemons	    System-wide daemons provided by the administrator.
     /System/Library/LaunchAgents   Per-user agents provided by Mac OS X.
     /System/Library/LaunchDaemons  System-wide daemons provided by Mac OS X.

SEE ALSO

     launchctl(1), launchd.plist(5),

Darwin								    1 May, 2009 							    Darwin
Man Page