search

jamf / Munki-Catalog-Browser

Munki Catalog Browser is an app which allows for easy browsing of items in your devices Munki catalogs as well as exporting to CSV
https://datajar.co.uk
Apache License 2.0
20 stars 1 forks source link

App not usable by non-admin users due to default catalog permissions #4

Closed homebysix closed 4 years ago

homebysix commented 4 years ago

The path to /Library/Managed Installs/catalogs is owned by root:admin and not readable by others by default:

$ ls -la /Library/Managed\ Installs/ | grep catalogs
drwxr-x---   3 root  admin      96 Nov  6 13:10 catalogs

Therefore opening Munki Catalog Browser as a non-administrative user results in a blank window. Not sure whether this is "working as expected" but thought I'd make a note of it.

macmule commented 4 years ago

We'll add a prompt to run as admin

macmule commented 4 years ago

Can people please try the below version? (@apizz too)

https://github.com/dataJAR/Munki-Catalog-Browser/releases/tag/1.1

apizz commented 4 years ago

@macmule I'm an admin and I still don't have anything listed in my Munki Catalog Browser window. Not getting any error messages

Screen Shot 2019-12-16 at 11 59 07 AM

apizz commented 4 years ago

Looks like I had some junk in my /Library/Managed Installs folder when we use a Jamf-specific path for our munki info. After removing it, it's now giving me the error message posted (https://github.com/dataJAR/Munki-Catalog-Browser/releases/tag/1.1) but no option to point somewhere else.

When I run managedsoftwareupdate --show-config it does list the correct Jamf-specific path.

macmule commented 4 years ago

@apizz what’s the path to your catalogs then?

Can you ls & show the perms?

macmule commented 4 years ago

We’re looking at the prefs domain to get the Managed Installs path.. then if we error opening the catalogs you’ll see that error.

So if your account doesn’t have perms to the catalogs file you’ll see the error.

apizz commented 4 years ago

Looking closely, it appears that we have a /Library/Preferences/ManagedInstalls.plist file that points to the standard munki locations as well as a config profile that manages a number of these settings, but not all.

So perhaps this is just the logic MCB is using to determine where to check for the ManagedInstallDir for catalogs?

bash-3.2# ls -lah /Library/Application\ Support/JAMF/Waiting\ Room/
total 648
drwx------   15 root  wheel   480B Dec 16 13:03 .
drwxr-xr-x   18 root  wheel   576B Dec 16 10:21 ..
-rw-r--r--    1 root  wheel   217K Dec 16 12:57 ApplicationInventory.plist
drwxr-xr-x  102 root  wheel   3.2K Dec 16 12:57 Archives
drwxr-xr-x    2 root  wheel    64B Nov 19 17:47 Cache
-rw-r--r--    1 root  wheel   3.0K Nov 19 17:47 InstallInfo.plist
drwxr-xr-x    2 root  wheel    64B Aug 22 15:25 Logs
-rw-r--r--    1 root  wheel    41K Dec 16 12:57 ManagedInstallReport.plist
-rw-r--r--    1 root  wheel   290B Dec 16 12:57 UpdateNotificationTracking.plist
-rw-r--r--    1 root  wheel    52K Dec 16 13:03 application_usage.sqlite
drwxr-xr-x    4 root  wheel   128B Dec 16 12:57 catalogs
drwxr-xr-x    2 root  wheel    64B Aug 22 15:27 client_resources
drwxr-xr-x    3 root  wheel    96B Dec 16 12:57 icons
drwxr-xr-x    6 root  wheel   192B Dec 16 12:57 manifests
drwxr-xr-x    4 root  wheel   128B Dec 15 14:25 swupd
bash-3.2# ls -dlah /Library/Application\ Support/JAMF/Waiting\ Room/
drwx------  15 root  wheel   480B Dec 16 13:03 /Library/Application Support/JAMF/Waiting Room/
bash-3.2# managedsoftwareupdate --show-config
Current Munki configuration:
                   AdditionalHttpHeaders:  None [not set] 
                AppleSoftwareUpdatesOnly: False [MANAGED] 
                              CatalogURL:  None [not set] 
                   ClientCertificatePath:  None [not set] 
                        ClientIdentifier:   u'' [MANAGED] 
                           ClientKeyPath:  None [not set] 
                       ClientResourceURL:  None [not set] 
                 ClientResourcesFilename:  None [not set] 
                DaysBetweenNotifications:     1 [MANAGED] 
                     FollowHTTPRedirects: u'none' [/Library/Preferences/ManagedInstalls.plist] 
                                 HelpURL:  None [not set] 
                                 IconURL:  None [not set] 
                     IgnoreSystemProxies: False [/Library/Preferences/ManagedInstalls.plist] 
             InstallAppleSoftwareUpdates:  True [MANAGED] 
                   InstallRequiresLogout: False [/Library/Preferences/ManagedInstalls.plist] 
                       LocalOnlyManifest: u'Manifest.plist' [MANAGED] 
                                 LogFile: u'/var/log/ManagedSoftwareUpdate.log' [MANAGED] 
                             LogToSyslog: False [/Library/Preferences/ManagedInstalls.plist] 
                            LoggingLevel:     1 [MANAGED] 
                       ManagedInstallDir: u'/Library/Application Support/JAMF/Waiting Room/' [MANAGED] 
                             ManifestURL:  None [not set] 
                              PackageURL:  None [not set] 
                 PackageVerificationMode: u'hash' [MANAGED] 
                     PerformAuthRestarts: False [/Library/Preferences/ManagedInstalls.plist] 
                         RecoveryKeyFile:  None [not set] 
 ShowOptionalInstallsForHigherOSVersions: False [/Library/Preferences/ManagedInstalls.plist] 
               SoftwareRepoCACertificate:  None [not set] 
                      SoftwareRepoCAPath:  None [not set] 
                         SoftwareRepoURL: u'http://jss.themastersschool.com/munki_repo' [MANAGED] 
                 SoftwareUpdateServerURL:  None [not set] 
                     SuppressAutoInstall: False [/Library/Preferences/ManagedInstalls.plist] 
              SuppressLoginwindowInstall: False [/Library/Preferences/ManagedInstalls.plist] 
             SuppressStopButtonOnInstall: False [/Library/Preferences/ManagedInstalls.plist] 
                SuppressUserNotification:  True [MANAGED] 
                  UnattendedAppleUpdates:  True [MANAGED] 
                    UseClientCertificate: False [/Library/Preferences/ManagedInstalls.plist] 
UseClientCertificateCNAsClientIdentifier: False [/Library/Preferences/ManagedInstalls.plist] 
               UseNotificationCenterDays:     3 [/Library/Preferences/ManagedInstalls.plist] 
Current Apple softwareupdate configuration:
                              CatalogURL: u'http://<org>.com/index_0_prod.sucatalog' [MANAGED]
macmule commented 4 years ago

Thanks, @apizz.

We’re reading the prefs in via UserDefaults (https://developer.apple.com/documentation/foundation/userdefaults)

Which location did the error show & how is that defined?

apizz commented 4 years ago

Looks like it's going off the default location @ /Library/Managed Installs as defined in default /Library/Preferences/ManagedInstalls.plist

Screen Shot 2019-12-16 at 1 36 50 PM Screen Shot 2019-12-16 at 1 37 17 PM

macmule commented 4 years ago

heh.. think i've found the issue, please try: https://github.com/dataJAR/Munki-Catalog-Browser/releases/download/1.1/Munki.Catalog.Browser.zip

apizz commented 4 years ago

Very close ... there appears to be an extra slash between catalogs and the ManagedInstallDir ... That's what is in our config profile which isn't breaking anything with munki, but otherwise that would be a small thing to update in our profile. Screen Shot 2019-12-16 at 2 26 37 PM

apizz commented 4 years ago

NVM ... the default setting as defined in /Library/Preferences/ManagedInstalls.plist is /Library/Managed Installs without the trailing slash. Going to update our profile ...

macmule commented 4 years ago

ok @apizz, try https://github.com/dataJAR/Munki-Catalog-Browser/releases/download/1.1/Munki.Catalog.Browser.zip again

apizz commented 4 years ago

After updating our profile, so now reads /Library/Application Support/JAMF/Waiting Room w/o slash, still get the error ... is it supposed to prompt for elevated privs? Screen Shot 2019-12-16 at 3 21 24 PM

macmule commented 4 years ago

ok.. so the path is missing the additional forward slash.

For this privs issue, we're just alerting at this stage.

Elevated privs would need a privileged helper, which is not a simple fix.

apizz commented 4 years ago

Correct. Makes since.

Not sure if you want to go so far as to differentiate errors between the path existing or not vs. the path existing but having insufficient privs to read them, but that could be helpful

macmule commented 4 years ago

Sure.. we'd have to run some more checks via filemanager (https://developer.apple.com/documentation/foundation/filemanager), but there will be situations where the API doesn't think that the path exists as you don't have perms.. see the below playground..

so legitimately figuring if someone cannot see a path as it's missing vs their perms is tricky

import Cocoa

let fm = FileManager.default let defaultInstallDir = "/Library/Managed Installs" let munkiDefaults = UserDefaults(suiteName: "ManagedInstalls") var managedInstallDir = "(munkiDefaults?.object(forKey: "ManagedInstallDir") ?? defaultInstallDir)" if !managedInstallDir.hasSuffix("/") { managedInstallDir = managedInstallDir + "/" } let munkiCatalogsDir = URL(fileURLWithPath: "(managedInstallDir)("/catalogs")") do { let catalogsDir = try fm.contentsOfDirectory(at: munkiCatalogsDir, includingPropertiesForKeys: nil, options: .skipsHiddenFiles) for foundCatalog in catalogsDir { print("Found (foundCatalog)") } } catch { print("Error reading catalogs") let readableFiles = fm.isReadableFile(atPath: "(munkiCatalogsDir)") let filesExist = fm.fileExists(atPath: "(munkiCatalogsDir)") print(readableFiles) if !readableFiles { print("not readable") } if !filesExist { print("not found") } }