Restricted software - how does jamf binary do it?

nextyoyoma
Contributor

We are writing a daemon to do something similar to what jamf's restricted software feature does. We want to specify apps that students cannot use while on campus, but are allowed to use at home (on-campus means on our network). We were planning to do something like this

ps -acx | grep "$process"

but I ran across this:

http://mywiki.wooledge.org/ProcessManagement#How_do_I_kill_a_process_by_name.3F__I_need_to_get_the_PID_out_of_ps_aux_.7C_grep_....

that suggests this is a bad idea. In our testing we haven't run into any of these problems, but if there is a better way to do this, it would be helpful.

Does anyone know how the jamf binary kills processes? Is it possible to use the jamf binary to kill a process?

4 REPLIES 4

rmanly
Contributor III

I am a big fan of the Wooledge Wiki and Greycat and the guys in #bash but they tend to give the most correct/safest/POSIX compliant answer vs. maybe the one you need to get the job done right now.

The good news is that in 10.8 OS X now has pkill and pgrep so you can use the proper tools for the job.

If you need to do it in the older versions than you need to resort to hacky methods like:

kill $(ps acx | awk /Adobe/'{print $1}')

or killall etc.

The only reason I prefer this to the grep option is then you don't have to do the second pipe "| grep -v grep" to get rid of the hit for the search itself.

The discussion you really need is actually the next Q. on that page. It will also provide with some admonishment for combining Unix and BSD ps options with the -. ;)

http://mywiki.wooledge.org/ProcessManagement#But_I.27m_on_some_old_legacy_Unix_system_that_doesn.27t...

nextyoyoma
Contributor

Thanks for the response. The problem with the information on Wooledge is that it's aimed at developers, not administrators. It doesn't seem to me that there is any other way to accomplish what we need to do. And obvious JAMF is using something similar to accomplish it's restricted software feature, so it can't be that big a deal...right?

mm2270
Legendary Contributor III

I'm pretty certain JAMF's restricted software process is basically doing what you've outlined, looking at the process name and if found, killing it. The process name is not going to change even if the application bundle has been renamed in the Finder, so I don't see why there would be any danger in using it like that.

rockpapergoat
Contributor III

administrators should know how to code, even if it's just shell. the divide between the two groups isn't helpful to anyone.

also, you can avoid using a second "grep -v" by using a character class, like: "ps -a | grep -i [m]ail"

that will only return details for the running mail.app process.

if you look at what the jamf binary does to kill processes, it uses the more hacky "grep foo | grep -v" construct. blech.