William C. McCain wrote:
| Is there a property in Info.plist that I can set to give my Java
| application, packaged as a .app bundle, the superuser privilege? Or
| some other simple way to run a Java app with superuser privileges?
No, there's no simple way to do it. Superuser privileges are intentionally hard to get. (And a property in an Info.plist file would be a huge, gaping security hole just asking to be exploited.)
| My application exposes a small, low-function, secure HTTP server (this
| is not the main function of my application, but it is needed to support
| a master/remote interface between machines on a local area network in a
| user's home). This requires superuser privileges.
Why? What do you neeed to do that an ordinary user can't do?
| It works fine in a shell when I prefix my application with "sudo". But
| I can't ask users to do that! I have also been able to get it to work
| from an AppleScript (something like 'do shell script "sudo open
| MyApp"'). That will be what I will have to ship, unless there is a
| better, more "transparent" solution.
The usual (and Apple-recommended) solution has two parts:
1. Create a separate program that does whatever it is that requires root
access--and *only* that--and arrange for the main program to call on
it as necessary.
2. Give the main program the ability to give root privileges to the support
program, and have it do so when necessary. (Usually, this will be the
first time the program runs.)
Step 1 probably requires a small native program to start Java. A program gets permanent root access by having the "set user ID" bit set, and that bit affects only native executables (I believe).
Step 2 requires the use of the Authorization Services functions--to gain root privileges temporarily, needed to grant permanent privileges--which I believe aren't available in Java. I'd write a small, separate native program that does the authorizing and granting of root privileges, and nothing else. (There's no benefit to integrating it into the Java code, so no reason to resort to JNI.)
You thus end up with two Java programs (the server and the main application) and two small native programs (the server starter and the "grant root privileges" program).
Glen Fisher
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Java-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/java-dev/email@hidden
This email sent to email@hidden
