Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Add to authorization policy database error


On Dec 7, 2004, at 11:51, Steven Palm wrote:


On Dec 7, 2004, at 12:03 PM, Conrad Sauerwald wrote:
Oops - you've found a bug. /etc/authorization only contains authenticate-session-owner as a rule. I will add that rule in /etc/authorization by the name authenticate-session-user too.

Thanks. Something still isn't quite right here, though, using the API to add these...

 Shouldn't this work?  (using hardcoded values for easier reading here)

NSArray *keys = [NSArray arrayWithObjects:@"rule", @"comment", nil];
NSArray *rules = [NSArray arrayWithObjects:@"authenticate-session-owner-or-admin", nil];
NSArray *vals = [NSArray arrayWithObjects:rules, @"load/unload tun/tap kexts", nil];
NSDictionary *dict = [NSDictionary dictionaryWithObjects:vals forKeys:keys];
err = AuthorizationRightSet(authRef, "my.right.name", dict, @"description", [NSBundle mainBundle], NULL);

"rule=foo" by itself is a shortcut way of saying "class=rule", "rule=foo". Add a "class=rule" pair or even the entry exactly the way you want it to look.

	err returns -60005

This one I do not want to timeout, it will be revoked upon program termination. That won't add to the database, but I'd also like to create another right based on/modeled after that one like this:

keys = [NSArray arrayWithObjects:@"rule", @"comment", @"timeout", nil];
rules = [NSArray arrayWithObjects:@"my.right.name",
@"authenticate-session-owner-or-admin", nil];
vals = [NSArray arrayWithObjects:rules, @"Start VPN", @"300", nil];
dict = [NSDictionary dictionaryWithObjects:vals forKeys:keys];
err = AuthorizationRightSet(authRef, "my.right.name2", dict, @"description", [NSBundle mainBundle], NULL);

err returns -60005

The timeout=300 won't override what the timeout in the rules referred is set to. Also, you want k-of-n to be 1 I presume.

So this right would timeout after five minutes, and either require that they have the first right when they try to get this one or would have to authenticate. Now that I think of it, I'm not sure this would do quite what I want.... I'd really like to grant this upon program launch when they must authenticate for the first right, but timeout in five minutes and then require re-authentication from that point on... I'll have to rethink that I guess.

Realize that we don't remember rights in the current authorizations. They're all based on valid credentials. So if my.right.name is a shared right, authenticate-session-owner will be authorized too.


In the mean while keep using the constant and modify or duplicate the rule in /etc/authorization.

This is a 10.3 only application, so hopefully I can do this through the API calls exclusively and not require editing of the file on the machines this is installed on. 

We talk about 10.3 or earlier only :-)

Conrad.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Apple-cdsa mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/apple-cdsa/email@hidden

This email sent to email@hidden
References: 
 >Add to authorization policy database error (From: Steven Palm <email@hidden>)
 >Re: Add to authorization policy database error (From: Conrad Sauerwald <email@hidden>)
 >Re: Add to authorization policy database error (From: Steven Palm <email@hidden>)



Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2007 Apple Inc. All rights reserved.