Cocoa mail archive
Re: Helper Tool on FireWire
FROM : Damien Sorresso
DATE : Sat Jun 24 22:55:27 2006
On 24 Jun, 2006, at 3:33 PM, Gerriet M. Denkmann wrote:
> I have an app which uses a small helper tool which runs setuid root.
> Everything works perfectly.
>
> But if the computer boots from some partition A and the helper tool
> resides on some partition B (AB) and if B is accessed via FireWire
> it just doesn't work.
>
> Normally I get something like this:
> 2006-06-24 11:22:16.875 Test Helper[857] path: /tmp/Test Helper
> 2006-06-24 11:22:16.879 Test Helper[857] owner: root (0)
> 2006-06-24 11:22:16.880 Test Helper[857] rights: 4555
> 2006-06-24 11:22:16.880 Test Helper[857] geteuid: 0 Ok
>
> But when "Test Helper" is on some FireWire partition I get:
> 2006-06-24 11:20:37.040 Test Helper[851] path: /Volumes/FireWire
> Disk/tmp/Test Helper
> 2006-06-24 11:20:37.043 Test Helper[851] owner: root (0)
> 2006-06-24 11:20:37.043 Test Helper[851] rights: 4555
> 2006-06-24 11:20:37.044 Test Helper[851] geteuid: 502 Error
>
> This might be a bug or a security feature or I might be doing
> something very stupid.
>
> But: is there a way to make this FireWire partition behave like an
> internal disk? (Finder -> Info has a switch "Ignore ownership on
> this volume" which is NOT checked).
When a SetUID tool is copied or moved, it loses the SUID bit. The
most common solution is to have your tool check itself for the SUID
bit when it's launched with AuthorizationExecuteWithPrivileges(...),
and if it's not present, to launch another instance of itself, repair
itself and then continue with its execution. Apple's got some sample
code showing how to do this.
> And: how can I know whether a directory resides on a FireWire
> partition?
I don't believe that you can run privileges tools from external
volumes. What you could do is, if you know your tool is going to be
on an external volume, have it copy itself to somewhere like the
user's Application Support directory, launch that copy and have it do
a self-repair and then continue on with its execution as normal.
> And: is there some folder which is guaranteed to reside on the boot
> partition? Like /private/tmp - but this might be a symbolic link
> pointing to some other partition.
The only guarantee is /System, really. You could have /Library, /
Applications or practically anything sym-linked to another location.
(My /Users directory is just a sym-link to a separate partition, for
example.) Of course, / is also guaranteed to be on the boot
partition. ;)
Why does your tool need to run from the boot partition?
--
Damien Sorresso
Mac OS X Developer
Computer Infrastructure Support Services
Illinois State University
E-mail: damien.<email_removed>
DATE : Sat Jun 24 22:55:27 2006
On 24 Jun, 2006, at 3:33 PM, Gerriet M. Denkmann wrote:
> I have an app which uses a small helper tool which runs setuid root.
> Everything works perfectly.
>
> But if the computer boots from some partition A and the helper tool
> resides on some partition B (AB) and if B is accessed via FireWire
> it just doesn't work.
>
> Normally I get something like this:
> 2006-06-24 11:22:16.875 Test Helper[857] path: /tmp/Test Helper
> 2006-06-24 11:22:16.879 Test Helper[857] owner: root (0)
> 2006-06-24 11:22:16.880 Test Helper[857] rights: 4555
> 2006-06-24 11:22:16.880 Test Helper[857] geteuid: 0 Ok
>
> But when "Test Helper" is on some FireWire partition I get:
> 2006-06-24 11:20:37.040 Test Helper[851] path: /Volumes/FireWire
> Disk/tmp/Test Helper
> 2006-06-24 11:20:37.043 Test Helper[851] owner: root (0)
> 2006-06-24 11:20:37.043 Test Helper[851] rights: 4555
> 2006-06-24 11:20:37.044 Test Helper[851] geteuid: 502 Error
>
> This might be a bug or a security feature or I might be doing
> something very stupid.
>
> But: is there a way to make this FireWire partition behave like an
> internal disk? (Finder -> Info has a switch "Ignore ownership on
> this volume" which is NOT checked).
When a SetUID tool is copied or moved, it loses the SUID bit. The
most common solution is to have your tool check itself for the SUID
bit when it's launched with AuthorizationExecuteWithPrivileges(...),
and if it's not present, to launch another instance of itself, repair
itself and then continue with its execution. Apple's got some sample
code showing how to do this.
> And: how can I know whether a directory resides on a FireWire
> partition?
I don't believe that you can run privileges tools from external
volumes. What you could do is, if you know your tool is going to be
on an external volume, have it copy itself to somewhere like the
user's Application Support directory, launch that copy and have it do
a self-repair and then continue on with its execution as normal.
> And: is there some folder which is guaranteed to reside on the boot
> partition? Like /private/tmp - but this might be a symbolic link
> pointing to some other partition.
The only guarantee is /System, really. You could have /Library, /
Applications or practically anything sym-linked to another location.
(My /Users directory is just a sym-link to a separate partition, for
example.) Of course, / is also guaranteed to be on the boot
partition. ;)
Why does your tool need to run from the boot partition?
--
Damien Sorresso
Mac OS X Developer
Computer Infrastructure Support Services
Illinois State University
E-mail: damien.<email_removed>
| Related mails | Author | Date |
|---|---|---|
| Helper Tool on FireWire |
Gerriet M. Denkman… | Jun 24, 22:33 |
| Re: Helper Tool on FireWire |
Damien Sorresso | Jun 24, 22:55 |
| Re: Helper Tool on FireWire |
Chris Suter | Jun 25, 10:14 |
| Re: Helper Tool on FireWire |
Gerriet M. Denkman… | Jun 25, 10:14 |
| Re: Helper Tool on FireWire |
Finlay Dobbie | Jun 25, 13:25 |
| Re: Helper Tool on FireWire |
wadeslists | Jun 25, 13:45 |
| Re: Helper Tool on FireWire |
Chris Suter | Jun 25, 13:53 |
| Re: Helper Tool on FireWire |
Gerriet M. Denkman… | Jun 25, 20:49 |
| Re: Helper Tool on FireWire |
Gerriet M. Denkman… | Jun 25, 20:51 |
| Re: Helper Tool on FireWire |
Finlay Dobbie | Jun 26, 00:41 |
