Hello everybody,
I am new to this list an have read about 2/3 of the archive.
I really enjoyed the discussion about the pros and cons of a CLI and
about hardening LS.
VeriSnitch is a daemon that will monitor LittleSnitch and warns the
user, via the GUI, if it is not running as well as log to the console.
This is an interesting approach, but I wonder if it would not be
preferable to relaunch the LSDaemon as soon as it gets killed.
This can be achieved by starting the Daemon as a LaunchAgent instead
of the Pref-Pane and the related Login Item.
Launchd will monitor the LittleSnitch Daemon and relaunch it (almost)
immediately after it gets killed.
A plist file (I called mine "supervisor.plist") could look like this
and must be stored in /Library/LaunchAgents with permissions 600 and
owned by root.
This is necessary because otherwise a process owned by the user would
be able to unload the LaunchAgent and circumvent protection
--- start supervisor.plist ---
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://
www.apple.com/DTDs/PropertyList-1.0.dtd">
<!-- author: Martin Kissner aka maceis -->
<!-- provided as is; use at your own risk -->
<plist version="1.0">
<dict>
<key>Label</key>
<string>supervisor</string>
<key>OnDemand</key>
<false/>
<key>ProgramArguments</key>
<array>
<string>/Library/PreferencePanes/Little Snitch.prefPane/
Contents/Resources/LittleSnitchDaemon.app/Contents/MacOS/
LittleSnitchDaemon</string>
</array>
<key>ServiceDescription</key>
<string>Supervisor for Little Snitch</string>
</dict>
</plist>
--- end supervisor.plist ---
I have tested this, but not very thoroughly.
As far as I can see it works quite well, but there might be side
effects which I didn't notice yet.
One consequence is that LS will run in any userĀ“s account which might
not be desired in any case.
Best regards
Martin
_______________________________________________
Littlesnitch-talk mailing list
[email protected]
http://at.obdev.at/mailman/listinfo/littlesnitch-talk
