Paul, and everyone,
That's a very good point about security. A simple Applescript could take control of the UI, which could potentially be pretty harmful - but possibly no more so than a simple script that deletes files without prompting the user. Either way, I think I'll still submit it to Apple in hopes of a response, or if necessary, a fix.
I considered (but admittedly hadn't tried) using the "open for access" method - I wasn't sure if that method would respect the UNIX permissions root/wheel ownership of both the /var/db directory and the .AccessibilityAPIEnabled file. Any Applescript executed by a user runs with that user's permissions - and the /var/db directory cannot be written to by anyone but the root user, so without a password prompt there is no way for a user-executed Applescript to write to that directory. Is there a way to execute the "open for access" command (or any Applescript command, for that matter) as root user via Applescript, by asking for an admin password? And for that matter, is there a way to set UNIX owner/group permissions via Applescript?
Now that I say all of this I see even more potential security issues... but even so, an Applescript action such as writing/removing a file in a root-owned directory should require the user to enter an admin password.
Bill, I'm sure you would know better than I - what are your thoughts on this as a potential security issue? And I'm looking forward to UI Browser 2.0 - I'll be one of your first buyers :-)
thanks guys,
Scott
On Jun 22, 2006, at 7:58 PM, Paul Berkowitz wrote:
On 6/22/06 6:40 PM, "Scott Doenges" <email@hidden> wrote:
So evidently I need to come up with a better way to automate enabling this setting (I also plan on filing a bug report via ADC, just to make sure Apple is aware of this potential problem).
Just possibly it's not a bug but an important security feature fixing a big security hole: the whole point is that you're not supposed to be able to enable GUI scripting programmatically, since that could permit the introduction of countless viruses on the Mac. The user is always supposed to to the enabling. Bill Cheeseman (I think) has a sample somewhere (maybe in the ReadMe for UI Browser) that shows how to put up an alert, open the correct Universal Access pane of System Prefs for the user to do the enabling - if she so wishes - and then choose to rerun the script. It's easy enough to figure this out for yourself. However (especially since it works OK on PPC machines the way you're doing it), it's probably just an accident that it doesn't work on Intel...
Any suggestions for better methods of creating the proper file? I obviously can't use UI scripting to go in and check that box for me! :-) Does anyone have suggestions for shell commands that can write text into a file?
You don't need shell commands. use 'open for access with write permission' and 'write' commands from Standard Additions, which will create the file too without involving the Finder.
--
Paul Berkowitz
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Help/Unsubscribe/Update your Subscription:
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Help/Unsubscribe/Update your Subscription:
