Mathieu Virbel
cfe29d2c0b
Sandboxed commands previously ran as `sudo -u _greywall`, breaking user identity (home dir, SSH keys, git config). Now uses `sudo -u #<uid> -g _greywall` so the process keeps the real user's identity while pf matches on EGID for traffic routing. Key changes: - pf rules use `group <GID>` instead of `user _greywall` - GID resolved dynamically at daemon startup (not hardcoded, since macOS system groups like com.apple.access_ssh may claim preferred IDs) - Sudoers rule installed at /etc/sudoers.d/greywall (validated with visudo) - Invoking user added to _greywall group via dscl (not dseditgroup, which clobbers group attributes) - tun2socks device discovery scans both stdout and stderr (fixes 10s timeout caused by STACK message going to stdout) - Always-on daemon logging for session create/destroy events
38 lines
1022 B
Go
38 lines
1022 B
Go
//go:build !darwin
|
|
|
|
package daemon
|
|
|
|
import "fmt"
|
|
|
|
const (
|
|
LaunchDaemonLabel = "co.greyhaven.greywall"
|
|
LaunchDaemonPlistPath = "/Library/LaunchDaemons/co.greyhaven.greywall.plist"
|
|
InstallBinaryPath = "/usr/local/bin/greywall"
|
|
InstallLibDir = "/usr/local/lib/greywall"
|
|
SandboxUserName = "_greywall"
|
|
SandboxUserUID = "399"
|
|
SandboxGroupName = "_greywall"
|
|
SudoersFilePath = "/etc/sudoers.d/greywall"
|
|
DefaultSocketPath = "/var/run/greywall.sock"
|
|
)
|
|
|
|
// Install is only supported on macOS.
|
|
func Install(currentBinaryPath, tun2socksPath string, debug bool) error {
|
|
return fmt.Errorf("daemon install is only supported on macOS")
|
|
}
|
|
|
|
// Uninstall is only supported on macOS.
|
|
func Uninstall(debug bool) error {
|
|
return fmt.Errorf("daemon uninstall is only supported on macOS")
|
|
}
|
|
|
|
// IsInstalled always returns false on non-macOS platforms.
|
|
func IsInstalled() bool {
|
|
return false
|
|
}
|
|
|
|
// IsRunning always returns false on non-macOS platforms.
|
|
func IsRunning() bool {
|
|
return false
|
|
}
|