Skip to content

Security: E0min/ClamshellKeeper

Security

SECURITY.md

Security

ClamshellKeeper changes system-wide macOS power settings through pmset.

Privileged Scope

The sudoers helper must only allow:

/usr/bin/pmset -a disablesleep 1
/usr/bin/pmset -a disablesleep 0

Do not request or merge changes that grant broad passwordless sudo.

Managed sessions require this exact noninteractive rule before activation. Timer, battery, AI, quit, startup recovery, and watchdog Off paths never fall back to an interactive administrator prompt.

Managed Session Lease

Before enabling SleepDisabled, ClamshellKeeper writes a private 0600 lease under:

~/Library/Application Support/ClamshellKeeper/managed-session.json

The lease contains a random session ID, owner PID plus process-start token, boot-session ID, baseline-Off confirmation, phase timestamps, heartbeat, and, for bounded timers, an absolute deadline. Writes use a cross-process lock, temporary file, fsync, and atomic rename. Identity-checked atomic mutations enforce forward-only phases, make .released terminal, and prevent a stale writer from erasing guarded process metadata. A separate unprivileged watchdog bundled with the app can execute only the two exact power commands already permitted by sudoers.

The app never launches a managed On command itself. It sends a bounded, exact protocol frame to the watchdog, which confirms the current state is Off and records .activating. The watchdog creates On in a dedicated suspended process group, durably records its PID and start token, and only then resumes it. Recovery kills and waits for that exact group before Off, preventing a delayed orphan On. The watchdog records .active before acknowledging success. Parent EOF takes priority over unread activation data, and recovery preserves the original owner identity until a new guardian is ready.

The watchdog turns the setting off when the app process exits, its heartbeat expires, a configured deadline arrives, or activation/release stalls. Off execution happens outside the lease lock; removal is revalidated against the same session identity afterward. A verified-Off .released tombstone prevents cleanup retries from changing a later external session.

This user-space watchdog does not survive logout or reboot. A stale lease is reconciled the next time ClamshellKeeper launches; enabling Launch at Login reduces that recovery window. Guaranteeing recovery before login would require a separately reviewed persistent system component.

Recovery

If ClamshellKeeper is deleted or crashes while keep-awake is enabled:

sudo /usr/bin/pmset -a disablesleep 0
rm -f "$HOME/Library/Application Support/ClamshellKeeper/managed-session.json"
sudo rm -f /private/etc/sudoers.d/clamshellkeeper

Always confirm SleepDisabled is 0 before removing the lease or the limited sudoers rule.

Reporting

Please open a private security advisory on GitHub if available, or create an issue with minimal reproduction details if the issue is not sensitive.

There aren't any published security advisories