projects / apple / mdnsresponder.git / blame
| Commit | Line | Data |
|---|---|---|
| 67c8f8a1 A |
1 | On Mac OS X, mDNSResponder now runs with user-ID and group-ID |
| 2 | "_mdnsresponder". In order to perform certain privileged operations, a | |
| 3 | helper (unimagintively called mDNSResponderHelper) runs as root when | |
| 4 | needed and handles requests from mDNSResponder. | |
| 5 | ||
| 6 | ||
| 7 | * A new LaunchD job com.apple.mDNSResponderHelper starts | |
| 8 | mDNSResponderHelper on demand. The helper exits after approximately | |
| 9 | 10 seconds of idle time. | |
| 10 | ||
| 11 | * The com.apple.mDNSResponder LaunchD job specifies the account under | |
| 12 | which to run, so that mDNSResponder starts as _mdnsresponder. When | |
| 13 | run as root--- e.g. from the command line with `sudo'--- | |
| 14 | mDNSResponder drops privileges itself. | |
| 15 | ||
| 16 | * A subdirectory named "mdns" and owned by _mdnsresponder has been | |
| 17 | created in /var/run. The PID file and uDNS server socket has been | |
| 18 | moved to that subdirectory. | |
| 19 | ||
| 20 | * There are currently six remote procedure calls handled by | |
| 21 | mDNSResponderHelper: mDNSDynamicStoreSetConfig, | |
| 22 | mDNSPreferencesSetName, mDNSKeychainGetSecrets, | |
| 83fb1e36 | 23 | mDNSConfigureServer, and mDNSAutoTunnelSetKeys |
| 67c8f8a1 A |
24 | |
| 25 | * mDNSDynamicStoreSetConfig allows mDNSResponder to set the | |
| 26 | MulticastDNS, PrivateDNS, or DynamicDNS configurations. | |
| 27 | ||
| 28 | * mDNSPreferencesSetName allows mDNSResponder to set the computer name | |
| 29 | or local host name, and displays a notification if there was a | |
| 30 | conflict. | |
| 31 | ||
| 32 | * mDNSKeychainGetSecrets causes mDNSResponderHelper to collect DNS | |
| 33 | keys from the system keychain. SetDomainSecrets uses the result to | |
| 34 | populate AuthInfoList. One could refactor this code further so that | |
| 35 | mDNSResponderHelper performs all the cryptographic operations, with | |
| 36 | the result that a compromise of mDNSResponder does not compromise | |
| 37 | keys. But I think that may be more change than is advisable at this | |
| 38 | point. | |
| 39 | ||
| 40 | * On the advice of the Security.framework team, I've used | |
| 41 | SecKeychainSetPreferenceDomain to ensure that the system keychain is | |
| 42 | references whenever a NULL SecKeychainRef is used. Wherever a | |
| 43 | SecKeychainRef is needed, NULL is now specified. | |
| 44 | ||
| 83fb1e36 A |
45 | * mDNSConfigureServer, and mDNSAutoTunnelSetKeys do various setup and |
| 46 | teardown for BTMM. |