Skip to content

Security: Dezoff-max/AdminDoctor

Security

SECURITY.md

Security Policy

AdminDoctor is designed for local diagnostics plus explicitly confirmed, reversible admin utilities.

Supported Versions

AdminDoctor is pre-1.0. Security fixes are accepted on main until release branches exist.

Reporting A Vulnerability

Do not open a public issue with sensitive host data or an exploit report.

Please report vulnerabilities privately through GitHub Security Advisories when the repository is available. Include:

  • affected version or commit
  • steps to reproduce
  • expected impact
  • whether sensitive data may be exposed

Privacy Expectations

AdminDoctor must not:

  • execute shell sudo
  • run irreversible cleanup commands
  • upload reports
  • phone home
  • collect telemetry
  • export personal data without default redaction

Safe cleanup utilities must:

  • scan before acting
  • operate only on configured user-scoped paths
  • show item names, paths, and size estimates before action
  • require explicit user confirmation
  • move selected items to Trash instead of permanently deleting them
  • keep system paths and privileged locations out of the main app cleanup path
  • use signed helper dry-run, allow-listed paths, quarantine moves, and audit logging for privileged system cleanup candidates

Administrator Authorization

AdminDoctor requests administrator authorization at launch through macOS Authorization Services. The app stores the resulting authorization reference only in memory for the current app session.

This does not make the SwiftUI process run as root. Privileged operations must use explicit, reviewed code paths and must stay reversible or read-only unless a release has a signed, notarized helper and a documented action audit trail.

The bundled AdminDoctorPrivilegedHelper includes a launchd plist, SMAppService registration flow, and XPC status, dry-run, and quarantine methods. Production helper approval requires a valid Apple code-signing identity and a correctly signed app/helper pair.

Privileged cleanup must:

  • accept only paths found by the current allow-listed system cleanup scan
  • reject symbolic links and paths outside the allow-list
  • perform dry-run planning before action
  • move eligible items to /Users/Shared/AdminDoctor/PrivilegedCleanup
  • write JSONL audit events to /Library/Logs/AdminDoctor/privileged-helper-audit.jsonl
  • avoid irreversible deletion commands

Network Scanning

LAN scanning is local-only. AdminDoctor may send short ICMP probes to local addresses, read the local ARP table, attempt local Bonjour/mDNS-style name hints, and probe a small set of common ports on discovered local devices. It must not upload discovered devices or query a remote vendor database at runtime.

External IP lookup is intentionally user-triggered because it contacts an external DNS resolver.

Sensitive Test Data

Use fake fixture values only. Never commit real serial numbers, usernames, hostnames, Wi-Fi SSIDs, local IPs tied to a person or company, tokens, passwords, or customer identifiers.

There aren't any published security advisories