Skip to content
/ sado Public
forked from facebookincubator/sado

A macOS signed-app shim for running daemons with reliable capabilities.

License

Apache-2.0 license
0 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

kilpatds/sado

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
.github/workflows
.github/workflows
 
 
Sado.xcodeproj
Sado.xcodeproj
 
 
Sado
Sado
 
 
docs
docs
 
 
.gitignore
.gitignore
 
 
Info.plist
Info.plist
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

/ˈsæːdoʊ/ (Signed Application Do)

Sado is an application designed to securely and programmatically grant TCC permissions to macOS executables in launchd and interactive contexts.

Examples

If $sado is the location of the Sado executable (e.g. $sado=/Applications/Sado.app/Contents/MacOS/Sado)

# If you don't have a sado profile installed by your administrator,
# you can change your list of allowable commands for testing.
# A sado command must have a name, the full path of an executable and arguments.
$ $sado add-command my_echo /bin/echo test
$ $sado add-command my_true /usr/bin/true
$ $sado list-commands
Available commands:
my_true: ["/usr/bin/true"]
my_echo: ["/bin/echo", "test"]

# Now, we can run one of these commands with sado:
$ $sado run /bin/echo test
test

# But a command without exactly matching arguments is not runnable
$ $sado run /bin/echo hello there!
["/bin/echo", "hello", "there!"] not in a valid command

# You may also run a command by giving its name
$ $sado run-by-name my_true

# Clearing the list is trivial if it is not admin-enforced
$ $sado clear-commands
$ $sado list-commands
No available commands.

# And sado will "fail open" if has been given no configuration.
$ $sado run /bin/echo "I'm a bad command!"
I'm a bad command!

Managing Sado via MDM

Sado uses the bundle identifier to look up the configuration, which defaults to com.facebook.cpe.Sado. You con enforce values for this with a configuration profile with the PayloadType that matches the bundle identifier (com.facebook.cpe.Sado).

  <key>PayloadContent</key>
  <dict>
    <key>ValidCommands</key>
    <dict>
      <key>run_true</key>
      <array>
        <string>/usr/bin/true</string>
      </array>
      <key>run_echo</key>
      <array>
        <string>/bin/echo</string>
        <string>hello</string>
        <string>there!</string>
      </array>
    </dict>
  </dict>

Requirements

Sado requires macOS 11.0 or later.

Building Sado

Sado can be built in Xcode, or in the terminal using xcodebuild.

To build Sado.app, run

$ xcodebuild -project 'Sado.xcodeproj' -scheme 'Sado'

and to build the Sado binary, to test; run

$ xcodebuild -project 'Sado.xcodeproj' -scheme 'SadoBinary'

Why Sado?

See the page on Technical Details for more information on how Sado works, how to use it and similar software.

Discussions and support

Sado can be discussed on the MacAdmin slack in the #meta-open-source channel.

See the CONTRIBUTING docs if you would like to help out.

License

Sado is Apache-2.0 licensed, as found in the LICENSE file.

About

A macOS signed-app shim for running daemons with reliable capabilities.

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Swift 100.0%