Cocoa mail archive
Re: Using Security framework to get root auth for running app.
FROM : OL&L Lists
DATE : Wed Dec 15 23:39:40 2004
At 4:03 PM -0500 12/15/04, <email_removed> wrote:
> >
>> On Dec 15, 2004, at 2:16 PM, <email_removed> wrote:
>>> Darn. I was hoping that would not be the case.
>>> Question then, can I set /Applications/SomeApp.app as the toolpath? or
>>> can
>>> I only launch command line tools?
>>
>> Part of the issue here is that when you would make your application
>> run as root, you would also be then granting root level access to all
>> libraries and frameworks you are using, which is relatively speaking a
>> HUGE security hole over putting specific bits of functionality in a
>> standalone and limited helper tool.
>>
>> Take the functions that must be performed as root and wrap them in a
>> helper tool, and have your application call this tool, passing the
>> authorization reference along with the command to perform. You'll be
> > happy you did, really, even though it's extra work.
>
> Explained this way it makes a little more sense. I guess Im just
>concerned that I'll have to re authorize the commandline tool for each
>file that needs removal which would be tedious. Anyway. Back to the books
>I suppose.
Write a helper tool to authorize once, cache the AuthorizationRef in
the app portion, then use the already-authorized AuthorizationRef to
call the tool multiple times passing the cached AuthorizationRef each
time. This allows the user to authorize once but allows you to
perform multiple privileged operations without reauthorizing each
time.
Michael
Orbital Launch & Lift, Inc.
http://www.orbitallaunch.com
DATE : Wed Dec 15 23:39:40 2004
At 4:03 PM -0500 12/15/04, <email_removed> wrote:
> >
>> On Dec 15, 2004, at 2:16 PM, <email_removed> wrote:
>>> Darn. I was hoping that would not be the case.
>>> Question then, can I set /Applications/SomeApp.app as the toolpath? or
>>> can
>>> I only launch command line tools?
>>
>> Part of the issue here is that when you would make your application
>> run as root, you would also be then granting root level access to all
>> libraries and frameworks you are using, which is relatively speaking a
>> HUGE security hole over putting specific bits of functionality in a
>> standalone and limited helper tool.
>>
>> Take the functions that must be performed as root and wrap them in a
>> helper tool, and have your application call this tool, passing the
>> authorization reference along with the command to perform. You'll be
> > happy you did, really, even though it's extra work.
>
> Explained this way it makes a little more sense. I guess Im just
>concerned that I'll have to re authorize the commandline tool for each
>file that needs removal which would be tedious. Anyway. Back to the books
>I suppose.
Write a helper tool to authorize once, cache the AuthorizationRef in
the app portion, then use the already-authorized AuthorizationRef to
call the tool multiple times passing the cached AuthorizationRef each
time. This allows the user to authorize once but allows you to
perform multiple privileged operations without reauthorizing each
time.
Michael
Orbital Launch & Lift, Inc.
http://www.orbitallaunch.com
