Skip to content

Security

Jump to bottom Edit New page
aysiu edited this page Jul 8, 2024 · 5 revisions

Outset runs scripts under both user and system contexts. As such it's important to ensure that this capability is not misused. Files managed by outset have some requirements that must be met before they will be processed.

Permissions and Ownership

Permissions and ownership are enforced. If a file does not meet requirements it will not be processed and an error will be sent to the log and to stdout.

Scripts

Scripts to be processed from one of outsets processing directories must be owned by root and have permissions 755 (-rwxr-xr-x).

Packages

Packages must be owned by root and have permissions 644 (-rw-r--r--).

File Verification (optional)

In addition to on-device checking of permissions, Outset has a preference key that records the script path and checksum (SHA256).

The intention is a configuration profile deployed via MDM would be used to enforce script integrity and ensure that only script that you want to run gets run.

When used, every file to be processed must have a matching hash value. Absence of a hash value or value mismatch will prevent Outset from processing that file.

Individual hash values can be generated with the folowing command:

% /usr/local/outset/outset --checksum /usr/local/outset/login-every/test.sh

Which will result in the following output

SHA256 for file /usr/local/outset/login-every/test.sh: 6591abcec4e0bdcc75c9509cee7f6ddae0313fef00da9d19586431b88eada436

Alternately, you can compute all hash values with the command

% /usr/local/outset/outset --checksum all

Which will compute hash values for all files as well as print a plist to stdout

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>sha256sum</key>
	<dict>
		<key>/usr/local/outset/login-every/test.sh</key>
		<string>6591abcec4e0bdcc75c9509cee7f6ddae0313fef00da9d19586431b88eada436</string>
        ...
	</dict>
</dict>
</plist>

Deployed via MDM these settings will take precedence as described in Preferences

Thus, if you deploy a configuration profile from your MDM defining the contents of the sha256sum key, the values cannot be overridden or removed by a user or other elevated process on the system.

Add a custom footer

Using Outset

Community Provided Workflows

Clone this wiki locally