Opened on May 4, 2013 at 7:25:33 AM
#7208 closed defect (fixed)
Sandboxing denies access to SSH keys.
Reported by: | SailingYYC | Owned by: | dkocher |
---|---|---|---|
Priority: | high | Milestone: | 4.4.1 |
Component: | sftp | Version: | 4.3 |
Severity: | major | Keywords: | sandbox |
Cc: | Architecture: | Intel | |
Platform: | Mac OS X 10.8 |
Description
Upgraded to 4.3 (10871) via Mac AppStore update. This version has sandboxing enabled by default which prevents access to SSH keys stored in ~/.ssh .
Initial connection attempt results in: I/O Error: Connection failed /Users/XXXX/.ssh/id_rsa (Operation not permitted).
-- Console Log --
2013-05-04 1:15:33.000 AM kernel[0]: Sandbox: sandboxd(93005) deny mach-lookup com.apple.coresymbolicationd 2013-05-04 1:15:41.398 AM sandboxd[93005]: ([92668]) Cyberduck(92668) deny file-read-data /Users/XXXX/.ssh/id_rsa
Manually updating the bookmarks and reselecting the SSH key, via the file dialog, permits flawless functionality, until the next time Cyberduck is executed.
Change History (11)
comment:1 Changed on May 4, 2013 at 10:54:07 AM by dkocher
- Milestone changed from 4.4 to 4.3.2
- Owner set to dkocher
- Status changed from new to assigned
comment:2 Changed on May 5, 2013 at 4:24:32 PM by dkocher
comment:3 Changed on May 6, 2013 at 10:55:02 AM by dkocher
This will also be an issue for reading and writing keys to the ~/.ssh/known_hosts file.
comment:4 Changed on May 6, 2013 at 11:10:29 AM by dkocher
- Summary changed from Mac sandboxing denies access to SSH keys. to Sandboxing denies access to SSH keys.
comment:5 Changed on May 6, 2013 at 3:30:46 PM by dkocher
Fixed entitlements in r11019.
comment:6 Changed on May 6, 2013 at 3:33:58 PM by dkocher
- Component changed from core to sftp
- Resolution set to fixed
- Status changed from assigned to closed
comment:7 Changed on May 9, 2013 at 9:36:13 AM by dkocher
#7208 closed as duplicate.
comment:8 Changed on Aug 3, 2013 at 10:14:34 PM by dkocher
#7377 closed as duplicate.
comment:9 Changed on Oct 29, 2013 at 9:21:27 PM by dkocher
- Milestone changed from 4.4 to 4.4.1
- Resolution fixed deleted
- Status changed from closed to reopened
We've determined that one or more temporary entitlement exceptions requested for this app are not appropriate and will not be granted:
com.apple.security.temporary-exception.files.home-relative-path.read-only: /.ssh/
We understand this may prevent the app from being approved for the Mac App Store. We encourage you to investigate other ways of implementing the desired functionality.
Reverted in r13638.
comment:10 Changed on Oct 29, 2013 at 10:18:13 PM by SailingYYC
So close! Any insights into an alternative course of action that doesn't involve caching the files in a safe location as this would prove detrimental...
Thanks again for all your great work.
comment:11 Changed on Oct 30, 2013 at 6:30:41 PM by dkocher
- Resolution set to fixed
- Status changed from reopened to closed
In r13662. Store security scoped application bookmark for file references outside of sandbox. Change minimum system requirement to 10.7.3 for MAS build.
We have to test if r11000 is enough to fix this.