MacOS – Why can an app create daemons on the fly without sudo permission and how to stop it

daemonslaunchdmacosservices

First, I come from Linux so there are many things which confuse me such as daemons.

I installed VOX.app and it has some kind of agents and cloud-related processes which can be started automatically. There is no option in the VOX UI which can disable them. I tried the following to remove those daemons:

launchctl remove com.coppertino.VOXCloud
launchctl remove com.coppertino.VOXAgent

The above commands are weird already because I didn't need to use sudo. The most weird part is what I did is apparently useless since everytime I launch VOX.app, it can create them again and again. This is just crazy.

If this is the security model of macOS how can I understand things and perhaps control for this?

Best Answer

The general security model is that normal users can add any startup items to their realm (user library for them) and not for the system, so don’t let people have admin accounts if you don’t trust them to not run software that installer system level startup items.

There is no easy way to stop an admin user from changing the system. You can enforce gatekeeper or signed apps, but most admin users can bypass that setting so at best, you slow down an uneducated admin user for a bit.

Per-user and Computer Wide Jobs

On macOS, launchd can manage background processes per-user and computer wide.

Per-user jobs exist within your user session. They start and stop with your logging in and out of the computer. If the jobs have associated job tickets, you will find them with the folder ~/Library/LaunchAgents and ~/Library/LaunchDaemons

Computer wide jobs start and stop with the computer. These jobs are stored in /Library/LaunchAgents and /Library/LaunchDaemons.

Computer wide jobs managed by Apple are stored in /System/Library/LaunchAgents and /System/Library/LaunchDaemons.

Per-user jobs do not need super user permission. Thus you did not need sudo to stop jobs installed at the user level by vox.app.

Disabling a `launchd` job

You can unload a launchd job to block it returning:

Usage: launchctl unload <service-path, service-path2, ...>

-w Additionally disables the service such that future load operations will result in a service which launchd tracks but cannot be launched or discovered in any way.

-S <session> Only unloads the services associated with the specified session.

-D <domain> Unloads launchd.plist(5) files from the specified domain. See the discussion regarding this same flag when given to the load subcommand for further details.

The -w causes the unload to be written to disk and to persist across sessions.

For more about stopping, unloading, and overriding jobs see:

Related Solutions

Mac – Stopping a macports installed thesql daemon

The correct answer is

sudo launchctl unload -w /Library/LaunchDaemons/org.macports.mysql5.plist

And you start it with

sudo launchctl load -w /Library/LaunchDaemons/org.macports.mysql5.plist

Thanks to kh13org for the pointer.

MacOS – Confusion with sudo and multiple local accounts

You aren't carrying forward your shell environment into the su adm session. so if you echo $PATH in the usracc account and the adm account, you'll find that they aren't equal (which is why adm can't find the updatedb command). All you need to do is tell su that you want to carry forward your env (su -m adm should do it) or just add the path to updatedb.

Though on my box updatedb is called /usr/libexec/locate.updatedb and is a script.