Re: Undoing changes made by call to AXMakeProcessTrusted
Re: Undoing changes made by call to AXMakeProcessTrusted
- Subject: Re: Undoing changes made by call to AXMakeProcessTrusted
- From: Bill Cheeseman <email@hidden>
- Date: Mon, 17 Jan 2011 16:30:00 -0500
On Jan 17, 2011, at 3:50 PM, John Ten Cate wrote:
> I am currently creating an application for the mac that will be installed with AXMakeProcessTrusted being set. In an effort to be able to properly QA my product before going to production, I need to ensure that the procedure I am using to set the process as trusted works properly and that if the process is not trusted it will fail gracefully. To do this I need to be able to reset the trusted state for the process.
>
> I have a couple questions that I have not been able to find the answers to in the documentation or by searching the web and was hoping that someone on the list could help out.
>
> 1. If I set a process as trusted using the AXMakeProcessTrusted and that process is removed, does the process remain in a trusted list somewhere? For instance, if the process is deleted and then added back manually to the same location that it was, will the trust still be their or does the trust have to be re-established?
>
> 2. If the trust remains in the above scenario, is there a way that the trust cam be removed so I can get back to a state before the trust was applied by AXMakeProcessTrusted?
I have an application on the market that uses AXMakeProcessTrusted, so I've been around this particular block. You can download a free trial copy of UI Browser at <http://pfiddlesoft.com/uibrowser>.
Once your executable is made trusted, that executable remains trusted on that machine forever. There is no way to make it untrusted again.
But if you delete the application (and its package's executable) and install a new copy, the copy of the executable is NOT trusted until you call AXMakeProcessTrusted on it again. The reason for this is obvious -- it prevents bad guys from tricking you into installing a malicious copy of the application that takes advantage of the fact that you already made the first copy of it trusted. So deleting and reinstalling your application will allow you to perform testing.
The "trust" is encoded in the executable's privileges. Do a Get Info on the executable before making it trusted, and then again afterwards, and you'll see the difference in its permissions. When I say the "executable," I mean the executable binary inside the Mac OS folder in the application package's Contents folder. After you make it trusted, you'll see a special privilege named "accessibility."
There are several other things you should be aware of about AXMakeProcessTrusted. (1) To use it, your application cannot have any embedded frameworks, for security reasons. This restriction is not documented, but I ran into it and Apple engineers confirmed it. This is one reason why my UI Browser application now installs my custom accessibility framework in the standard shared frameworks location instead of embedding it in the application bundle. (2) If you do use custom frameworks and install them in shared frameworks to get around the first restriction, you will make your application ineligible for the new Mac App store, which does not permit applications that install software in shared locations or that use elevated privileges.
--
Bill Cheeseman - email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Accessibility-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden