Re: Executing AppleScripts from an 'AXTrustedProcess'
Re: Executing AppleScripts from an 'AXTrustedProcess'
- Subject: Re: Executing AppleScripts from an 'AXTrustedProcess'
- From: Tobias Zimmerman <email@hidden>
- Date: Tue, 3 Feb 2009 18:56:52 -0500
Thanks everyone, let me respond in turn:
> From: Rainer Brockerhoff <email@hidden>
>
> For your specific case, why don't you move the windows directly using Accessibility? (I'm doing this myself in an upcoming app.) It's more work but rarely fails.
This sounds intriguing. Can you point me at a good place to start
researching how to do this (or, even better, give me an example?) I
am an amateur, just getting started with Cocoa, and had done all of
this in pure applescript before hand, so that is where I am coming
from.
> From: Bill Cheeseman <email@hidden>
> I wonder whether this confuses root access (setuid/setgid) with entrustment.
> I believe I recall correctly that the recent security change regarding
> AppleScript relates (or was intended to relate) only to the issue of root
> access. So if the OP limits root access to the helper app that runs
> AXMakeProcessTrusted against his main application executable, the
> limitations regarding root access shouldn't be an issue.
>
> I don't offhand see any principled reason why security considerations would
> lead Apple to prevent a trusted assistive application from running
> AppleScript commands addressed to another application. If anything, a
> trusted assistive application should be allowed to exercise increased power.
> (I can imagine, however, that this might have been an unintended side effect
> of implementing the root limitations.)
>
> Until a knowledgeable Apple engineer weighs in to the contrary, I would be
> inclined to suggest that the OP look for the cause of the problem somewhere
> else. Unless, of course, he has confirmed that his application works as
> intended if he does everything the same EXCEPT to run the
> AXMakeProcessTrusted function -- in that case, we're all up a creek.
Bill- My app works perfectly without the AXMakeProcessTrusted
permission. Using the Chown/Chgrp method of setting it to trusted
causes it to suddenly fail. Similarly, using the caffeinated cocoa
example we discussed on cocoa-dev, same result: works prior to
authentication with assistive devices enabled; fails when made
trusted. I agree, it seems like a security non-sequitur to require
granting a global right (i.e., turn on "enable access to assistive
devices" when granting a specific permission to one app would
accomplish the same result.
> From: James Dempsey <email@hidden>
> This is an issue that we are aware of. One workaround I had suggested
> to a developer privately (but had not heard back if it had worked),
> was to compile the scripts ahead of time using osacompile, and to load
> and run the compiled scripts. I believe this would skip the step of
> loading the AppleScript dictionaries of the other applications.
>
> I'm not too familiar with osacompile, but you will want to use the -d
> options to have the compiled script in the data fork, you probably
> also want -x to make it execute only - otherwise it will be openable
> in ScriptEditor.
>
> I'm hopeful that as long as your scripts don't rely on scripting
> additions that this will work. It would be helpful if you could
> report back whether this did work for you or not.
>
Thank you for the interesting suggestion. Unfortunately, I cannot
precompile the scripts, because I need to fill in the appropriate
parameters for the window size/location at run time. (OT, but I think
I have also identified a memory leak in the OSA Compile functions.
They seem to generate a number of CFStrings when compiling a script
that are never released/collected. I am investigating further and
will post something to cocoa-dev if I can confirm it). I am glad
Apple is aware of the issue -- see my comment above regarding having
to enable a global right when a specific right will do. Hopefully it
will get corrected at some point. Keep making great stuff!
Thanks, Tobias
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Accessibility-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden