Cyberduck Mountain Duck CLI

Opened 5 years ago

Closed 5 years ago

#7208 closed defect (fixed)

Sandboxing denies access to SSH keys.

Reported by: SailingYYC Owned by: dkocher
Priority: high Milestone: 4.4.1
Component: sftp Version: 4.3
Severity: major Keywords: sandbox
Cc: Architecture: Intel
Platform: Mac OS X 10.8

Description

Upgraded to 4.3 (10871) via Mac AppStore update. This version has sandboxing enabled by default which prevents access to SSH keys stored in ~/.ssh .

Initial connection attempt results in: I/O Error: Connection failed /Users/XXXX/.ssh/id_rsa (Operation not permitted).

-- Console Log --

2013-05-04 1:15:33.000 AM kernel[0]: Sandbox: sandboxd(93005) deny mach-lookup com.apple.coresymbolicationd
2013-05-04 1:15:41.398 AM sandboxd[93005]: ([92668]) Cyberduck(92668) deny file-read-data /Users/XXXX/.ssh/id_rsa

Manually updating the bookmarks and reselecting the SSH key, via the file dialog, permits flawless functionality, until the next time Cyberduck is executed.

Change History (11)

comment:1 Changed 5 years ago by dkocher

  • Milestone changed from 4.4 to 4.3.2
  • Owner set to dkocher
  • Status changed from new to assigned

comment:2 Changed 5 years ago by dkocher

We have to test if r11000 is enough to fix this.

comment:3 Changed 5 years ago by dkocher

This will also be an issue for reading and writing keys to the ~/.ssh/known_hosts file.

comment:4 Changed 5 years ago by dkocher

  • Summary changed from Mac sandboxing denies access to SSH keys. to Sandboxing denies access to SSH keys.

comment:5 Changed 5 years ago by dkocher

Fixed entitlements in r11019.

comment:6 Changed 5 years ago by dkocher

  • Component changed from core to sftp
  • Resolution set to fixed
  • Status changed from assigned to closed

comment:7 Changed 5 years ago by dkocher

#7208 closed as duplicate.

comment:8 Changed 5 years ago by dkocher

#7377 closed as duplicate.

comment:9 Changed 5 years ago by dkocher

  • Milestone changed from 4.4 to 4.4.1
  • Resolution fixed deleted
  • Status changed from closed to reopened

We've determined that one or more temporary entitlement exceptions requested for this app are not appropriate and will not be granted:

com.apple.security.temporary-exception.files.home-relative-path.read-only: /.ssh/

We understand this may prevent the app from being approved for the Mac App Store. We encourage you to investigate other ways of implementing the desired functionality.

Reverted in r13638.

comment:10 Changed 5 years ago by SailingYYC

So close! Any insights into an alternative course of action that doesn't involve caching the files in a safe location as this would prove detrimental...

Thanks again for all your great work.

comment:11 Changed 5 years ago by dkocher

  • Resolution set to fixed
  • Status changed from reopened to closed

In r13662. Store security scoped application bookmark for file references outside of sandbox. Change minimum system requirement to 10.7.3 for MAS build.

Note: See TracTickets for help on using tickets.
swiss made software