Re: Running process as root from Cocoa

FROM : Chris Suter
DATE : Tue Jan 29 07:54:44 2008

On 29/01/2008, at 5:27 PM, Kyle Sluder wrote:

> On Jan 29, 2008 1:20 AM, Mitchell Hashimoto <<email_removed>> wrote:

>> What do you mean I can't access the window server?

>
> To be accurate, it works now, but will be disabled in the future.  A
> full explanation can be had here:
> http://developer.apple.com/technotes/tn2005/
> tn2083.html#SECWINDOWSERVER
>
> Basically, it boils down to this: the window server advertises a
> service.  But it also advertises a "global window server service" that
> apps running as both root and the current console user can connect to.
> This global service is going away, which means that apps running as
> root will no longer be able to put up GUI.


I'm no expert on this, but I don't know that it's true that you won't 
be able to run a GUI application as root. Even after the global window 
server service has gone away, I believe you will still be able to run 
a process as root because processes will inherit a reference to a per-
session bootstrap namespace—simply changing the user ID doesn't change 
this inheritance. In Terminal if you were to type:

su someone_else
./MyGUIApp/Contents/MacOS/MyGUIApp

You'll find it works, even though the user ID doesn't match the 
current session and isn't root.

The removal of the "global window server service" will affect 
processes that don't inherit a per-session bootstrap namespace, for 
example, SSH logins.

Anyway, having said all that, you still shouldn't really run a GUI app 
as root if you're concerned at all about security.

As I said, I'm no expert so I could be wrong on this.

- Chris