Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Using MoreSCF

At 16:54 +0100 7/10/02, email@hidden wrote:
The thing I thought was strange is that my network settings weren't
locked, so when I wasn't logged in as root user, I thought it should have
worked. I.e. The lock in the network settings is unlocked.

This lock is managed entirely within System Preferences. System Preferences has an EUID 0 backend process that it uses to commit SCF changes. The lock prevents that process from doing commits. It has nothing to do with the SCF or Auth APIs.

Any ideas, how I can my application to temporally to have root access when
setting up the configuration items, and then loose the privilege ???.

I have seen the AuthSample, but this says that GUI applications shouldn't
be able to have root privileges which seems strange to me, and the sample is
presently confusing.

I would have thought, that if a process wants root privileges, the process
calls an API, which causes a dialog to appear similar to clicking on the
unlock button in the system preferences (network settings), so the user is
fully aware that we are going to change something.

This isn't possible, at least not in the way you want. The only way for a BSD process to upgrade its privileges is for it to exec a setuid program. You can't call an API to upgrade your preferences. This means that you really need to split your application into the front-end GUI part that runs with the user's EUID, and a back-end helper tool that runs as EUID 0. While I understand that AuthSample is a little complicated, it's the only way to resolve the conflicting requirements of having your GUI process not run as EUID 0 and being able to make changes that require EUID 0.

btw This stuff is explained fairly well in the Auth Services docs.

<http://developer.apple.com/techpubs/macosx/CoreTechnologies/securityservices/authorizationservices/authservices.html>

We're also working on new documentation to cover these issues in great depth.

S+E
--
Quinn "The Eskimo!" <http://www.apple.com/developer/>
Apple Developer Technical Support * Networking, Communications, Hardware
_______________________________________________
macnetworkprog mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/macnetworkprog
Do not post admin requests to the list. They will be ignored.
References: 
 >Using MoreSCF (From: <email@hidden>)



Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2007 Apple Inc. All rights reserved.