Beyond the good ol' LaunchAgents - 15 - xsanctl

This is part 15 in the series of “Beyond the good ol’ LaunchAgents”, where I try to collect various persistence techniques for macOS. For more background check the introduction.

I run into this not so exciting persistent method when I was investigating xsanctl for… other… reasons… xsanctl is a “Xsan file system control utility”, which allows us to mount and manage Xsans.

The xsanctl binary can be found at /System/Library/Filesystems/acfs.fs/Contents/bin/xsanctl, however when we simply run the command it is run from /usr/sbin/xsanctl. If we check, this is a symbolic link.

csaby@mac exploits % ls -l /usr/sbin/xsanctl
lrwxr-xr-x  1 root  wheel  63 Jan  1  2020 /usr/sbin/xsanctl -> /System/Library/Filesystems/acfs.fs/Contents/bin/redirection.sh

Interestingly the link points to a script and not the actual binary.

The script is very short.

#!/bin/sh
if [ -r /Library/Preferences/Xsan/.xsanrc ]
then
    . /Library/Preferences/Xsan/.xsanrc
fi
if [ x"${XSAN_ALT_BINDIR}" == x ]
then
    XSAN_ALT_BINDIR=/System/Library/Filesystems/acfs.fs/Contents/bin
fi
COMMAND=`basename $0`
${XSAN_ALT_BINDIR}/${COMMAND} "$@"

It will execute the file /Library/Preferences/Xsan/.xsanrc if exists. Moreover it will also look for the xsanctl binary in different location if the XSAN_ALT_BINDIR environment variable is defined, which allows further redirection.

Essentially we can persist in the /Library/Preferences/Xsan/.xsanrc script. Unfortunately this location requires root access, and this utility likely also not frequently run, especially by non-enterprise users.

So it’s not super useful, but thought it would worth a quick post.