Disable Local Network Access permission check

App & System Services Networking
IngmarStein
IngmarStein OP
Created 1w
Replies 5
Boosts 0
Views 134
Participants 2

I'm using a Mac Studio in a homelab context and use Homebrew to manage the installed services. The services include things that access the local network, for example Prometheus which monitors some other servers, a reverse proxy which fronts other web services on the network, and a DNS server which can use another as upstream.

Local Network Access permissions make it impossible to reliably perform unattended updates of services because an updated binary requires a GUI login to grant local network permissions (again).

I use brew services to manage the services as launchd agents, i.e. they run in a non-root GUI context. I know that I can also use sudo brew services which instead installs the services as launchd daemons, but running services as root has negative security implication and generally doesn't look like a good idea to me.

If only there was a way to disable local network access checks altogether…

Answered by DTS Engineer in 842199022
If only there was a way to disable local network access checks altogether

If only |-:

I recommend that you have a read through TN3179 Understanding local network privacy, just to confirm your understanding of the current state of affairs. If you still can’t find a solution that meets your requirement, you absolutely should file an enhancement request about this.

Please post your bug number, just for the record.

In the meantime, you should look to see if Homebrew has mechanism to sign code with a stable code-signing identity. If it does, then you should be abel to grant access once and have it persist across updates.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Replies  5
Boosts  0
Views  134
Participants  2
Apple Staff, DTS Engineer
DTS Engineer OP
Apple
1w
Recommended
If only there was a way to disable local network access checks altogether

If only |-:

I recommend that you have a read through TN3179 Understanding local network privacy, just to confirm your understanding of the current state of affairs. If you still can’t find a solution that meets your requirement, you absolutely should file an enhancement request about this.

Please post your bug number, just for the record.

In the meantime, you should look to see if Homebrew has mechanism to sign code with a stable code-signing identity. If it does, then you should be abel to grant access once and have it persist across updates.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
IngmarStein
IngmarStein OP
1w

Thanks, Quinn! I've created an enhancement request and here's the bug number as requested: FB17818651.

I apologize if the "if only" came across as a bit snarky. I understand that not having such a setting is probably the right thing for macOS in the usual context of a personal computing device for end users. However, in a server context (where I guess Mac minis and Studios are quite popular), it might be warranted. Not sure if this audience is a priority for Apple.

As for Homebrew: I'm not a maintainer, but as far as I know, it only provides attestations for bottles (packages), and uses ad-hoc signing for the executables contained in the packages:

0
Apple Staff, DTS Engineer
DTS Engineer OP
Apple
1w

Thanks for filing FB17818651.

I apologize if the "if only" came across as a bit snarky.

Oh, that’s not how I interpreted at all (-: Speaking personally, I’d love to see more options for folks in your situation.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
IngmarStein
IngmarStein OP
6d

Thanks! I hope there's a chance of a solution materializing during Tahoe's development.

In the meantime, I'll probably revert back to launch daemons because the permission problem is worse than I thought. It's one thing when I have to log in using remote desktop to re-grant permissions after upgrading Prometheus, Grafana, Alloy, or other services, but it's another when I upgrade a runtime like Pythong or .NET. In that case, I have to figure out which services use those, restart them, and then allow access to the local network and private keys in Keychain.

Running as root is already not great, but launch daemons often surface another problem: because they start so early in the boot process, network interfaces might not be up yet and some services don't properly handle that case. Technitium DNS, for example, falls back to listening on a default port on all interfaces if binding fails. I've filed an issue upstream and the next version will introduce a flag which instead terminates the process, so that launchd can restart it at a later time. There are other cases like this.

Just mentioning this additional context in case it helps with prioritization :)

0
Apple Staff, DTS Engineer
DTS Engineer OP
Apple
3d
because [launchd daemons] start so early in the boot process, network interfaces might not be up yet

Indeed. Programs running on Apple platforms are expected to respond gracefully when the network configuration changes, but programs with a Unix-y herigate often don’t. Historically launchd supported the NetworkState property to help with that, but it looks like we removed that compatibility sop at some point.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
Disable Local Network Access permission check
First post date Last post date
 
 
Q