> On Sep 1, 2016, at 2:01 AM, René J.V. Bertin via lldb-dev
> <lldb-dev@lists.llvm.org> wrote:
>
> Hi,
>
> MacPorts has long had ports for llvm and clang which are very practical.
> Ports for lldb have been missing until now, so I've been trying to create one
> based on the existing clang port. That wasn't particularly difficult, except
> (who'd guess) for the codesigning bit.
>
> Two questions:
>
> - to what extent is it indeed (still) required to reboot after each attempt
> to (re)sign an executable? It doesn't appear to be the case for applications
> that just need to accept internet connections, for instance.
You don't have to reboot after every attempt to sign an executable. You only
have to reboot after making the code signing identity and, doing the little
command line trick to get the system to accept it. That still seems necessary,
but then once you've done that you can keep using that identity either till it
expires or you reinstall your OS.
> - does the debugserver application do anything which makes it a really bad
> idea to make it SETUID root?
>
Apple goes to pretty great lengths to limit the harm a debugger can do as an
attack vector. With SIP on, being root gives you many fewer permissions w.r.t.
debugging than you might think, so I don't actually think this would help much.
Suggesting people turn SIP off to use your debugger build seems like a bad
idea to me.
> And a bonus question: has it ever been tried to sign the debugserver file
> with the ad hoc identity ("-")? That identity works for accepting internet
> connections (= once signed like that applications no longer put up the
> deny/allow connection dialog each time they're started).
I doubt that would work.
Jim
>
> Thanks,
> René
> _______________________________________________
> lldb-dev mailing list
> lldb-dev@lists.llvm.org
> http://lists.llvm.org/cgi-bin/mailman/listinfo/lldb-dev
_______________________________________________
lldb-dev mailing list
lldb-dev@lists.llvm.org
http://lists.llvm.org/cgi-bin/mailman/listinfo/lldb-dev
