Samuel Keeley keeleysam

## launchdaemon_programs_mutable.sql
/*
This query looks at the programs referenced by LaunchDaemons in order to find ones which are writable by non-root users.

Note that it is hard to tell what will actually be executed by launchd in some cases, and may return false positives.  Reccomended to be used with process monitoring as well.
*/

select
  distinct p.launchd_path as launchd_path,
  p.launchd_label as launchd_label,
  f.path,

## keybase.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                keeleysam
                / keybase.md
            
            
              Created
              February 28, 2018 22:15
            
          
    Keybase proof

I hereby claim:

I am keeleysam on github.
I am keeleysam (https://keybase.io/keeleysam) on keybase.
I have a public key ASBKqpVo2TGE26gR6fUNqL65zbZMy9d5gXPqRImzZRoojgo

To claim this, I am signing this object:

  
## gist:4219239
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>AppleUpdates</key>
	<array>
		<dict>
			<key>blocking_applications</key>
			<array>
				<string>Xcode.app</string>

## gist:3933637
ST31000528AS:

          Capacity: 1 TB (1,000,204,886,016 bytes)
          Model: ST31000528AS
          Revision: AP25
          Serial Number:             xxxxxxxx
          Native Command Queuing: Yes
          Queue Depth: 32
          Removable Media: No
          Detachable Drive: No

## gist:3802037
bplist00ÿ	\groupmembersYmcx_flags\mcx_settingsXrealname\generateduidUusersSgidTname¢
_$99B537A8-4E10-4033-BBE7-E4594D452B95_$5D00747F-E320-4280-8C2B-50907C37F31C°
O‚<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>has_mcx_settings</key>
	<true/>
</dict>
</plist>

## gist:3801496
sh-3.2# ./setupMCX2.sh
+ ./setupMCX2.sh
+ local_desktop_GUID=B4247B97-F249-4409-8EA3-BA8E168BA0DA
+ local_laptop_GUID=15BEE70A-A32D-4A33-B740-93CBE95F75A4
+ changedMCX=true
+ /bin/mkdir -p -m 700 /private/var/db/dslocal/nodes/MCX
+ /bin/mkdir -p -m 700 /private/var/db/dslocal/nodes/MCX/users
+ /bin/mkdir -p -m 700 /private/var/db/dslocal/nodes/MCX/groups
+ /bin/mkdir -p -m 700 /private/var/db/dslocal/nodes/MCX/computers
+ /bin/mkdir -p -m 700 /private/var/db/dslocal/nodes/MCX/computergroups

## gist:3800649
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>dsAttrTypeStandard:CSPSearchPath</key>
	<array>
		<string>/Local/Default</string>
		<string>/Local/MCX</string>
		<string>/Active Directory/AD/All Domains</string>
	</array>

## gist:3800593
sh-3.2# /usr/bin/dscl -plist /Search read / CSPSearchPath
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>dsAttrTypeStandard:CSPSearchPath</key>
	<array>
		<string>/Local/Default</string>
		<string>/Active Directory/AD/All Domains</string>
	</array>

## gist:3796679
$ /usr/bin/dscl /Search read / CSPSearchPath | /usr/bin/cut -d" " -f3-
CSPSearchPath:

Directory/DIRECTORY/All Domains

$ /usr/bin/dscl /Search read / CSPSearchPath | /usr/bin/cut -d" " -f4-
CSPSearchPath:

Domains

## gist:3796523
sudo ./setupMCX.sh
<main> attribute status: eDSNodeNotFound
<dscl_cmd> DS Error: -14008 (eDSNodeNotFound)
<dscl_cmd> DS Error: -14136 (eDSRecordNotFound)
<dscl_cmd> DS Error: -14136 (eDSRecordNotFound)
Updating GUID for /Computers/local_desktop...
was:
now: B4247B97-F249-4409-8EA3-BA8E168BA0DA
Updating GUID for /Computers/local_laptop...
was:
	/*
	This query looks at the programs referenced by LaunchDaemons in order to find ones which are writable by non-root users.

	Note that it is hard to tell what will actually be executed by launchd in some cases, and may return false positives. Reccomended to be used with process monitoring as well.
	*/

	select
	distinct p.launchd_path as launchd_path,
	p.launchd_label as launchd_label,
	f.path,
	<?xml version="1.0" encoding="UTF-8"?>
	<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
	<plist version="1.0">
	<dict>
	<key>AppleUpdates</key>
	<array>
	<dict>
	<key>blocking_applications</key>
	<array>
	<string>Xcode.app</string>
	ST31000528AS:

	Capacity: 1 TB (1,000,204,886,016 bytes)
	Model: ST31000528AS
	Revision: AP25
	Serial Number: xxxxxxxx
	Native Command Queuing: Yes
	Queue Depth: 32
	Removable Media: No
	Detachable Drive: No
	bplist00ÿ \groupmembersYmcx_flags\mcx_settingsXrealname\generateduidUusersSgidTname¢
	_$99B537A8-4E10-4033-BBE7-E4594D452B95_$5D00747F-E320-4280-8C2B-50907C37F31C°
	O‚<?xml version="1.0" encoding="UTF-8"?>
	<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
	<plist version="1.0">
	<dict>
	<key>has_mcx_settings</key>
	<true/>
	</dict>
	</plist>
	sh-3.2# ./setupMCX2.sh
	+ ./setupMCX2.sh
	+ local_desktop_GUID=B4247B97-F249-4409-8EA3-BA8E168BA0DA
	+ local_laptop_GUID=15BEE70A-A32D-4A33-B740-93CBE95F75A4
	+ changedMCX=true
	+ /bin/mkdir -p -m 700 /private/var/db/dslocal/nodes/MCX
	+ /bin/mkdir -p -m 700 /private/var/db/dslocal/nodes/MCX/users
	+ /bin/mkdir -p -m 700 /private/var/db/dslocal/nodes/MCX/groups
	+ /bin/mkdir -p -m 700 /private/var/db/dslocal/nodes/MCX/computers
	+ /bin/mkdir -p -m 700 /private/var/db/dslocal/nodes/MCX/computergroups
	sh-3.2# /usr/bin/dscl -plist /Search read / CSPSearchPath
	<?xml version="1.0" encoding="UTF-8"?>
	<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
	<plist version="1.0">
	<dict>
	<key>dsAttrTypeStandard:CSPSearchPath</key>
	<array>
	<string>/Local/Default</string>
	<string>/Active Directory/AD/All Domains</string>
	</array>
	$ /usr/bin/dscl /Search read / CSPSearchPath \| /usr/bin/cut -d" " -f3-
	CSPSearchPath:

	Directory/DIRECTORY/All Domains

	$ /usr/bin/dscl /Search read / CSPSearchPath \| /usr/bin/cut -d" " -f4-
	CSPSearchPath:

	Domains
	sudo ./setupMCX.sh
	<main> attribute status: eDSNodeNotFound
	<dscl_cmd> DS Error: -14008 (eDSNodeNotFound)
	<dscl_cmd> DS Error: -14136 (eDSRecordNotFound)
	<dscl_cmd> DS Error: -14136 (eDSRecordNotFound)
	Updating GUID for /Computers/local_desktop...
	was:
	now: B4247B97-F249-4409-8EA3-BA8E168BA0DA
	Updating GUID for /Computers/local_laptop...
	was: