• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Privileged helper tool?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Privileged helper tool?


  • Subject: Privileged helper tool?
  • From: Jeff Dyck <email@hidden>
  • Date: Fri, 08 Aug 2014 09:26:49 -0700

Thanks for the sounding board the other day re: the rsync issue.

I have another, higher concept question that I’d appreciate any input on…

Background:

Years ago I developed an internal user backup and migration tool in Applescript Studio, which is basically a wrapper around rsync / ditto with a bunch of logic built in to help our techs in backing up and migrating users to new computers. Unfortunately, maintaining this project now requires a VM of Snow Leopard with Xcode 3 and I’d like to recode this in AppleScript Obj-C.

Currently the program asks for an admin user/password on launch, which it then keeps internally so it can run a bunch of commands without requiring our techs to keep entering the admin password - it uses these credentials to do things like: calculate number of files or total size of a user's home folder; enable file sharing; turn off sleep; run the rsync / ditto commands; etc.  I did all of this using ‘do shell script as administrator’ and it’s worked brilliantly the past 5 years.

With Apple’s tightening security, I’m starting to think the ‘do shell script as admin’ might not have much more life left, so I’ve been researching the more modern, Apple approved methods of privilege escalation, which has led me down a rabbit hole of conflicting information and obsolete documentation, and finally to a combination of SMJobBless, LaunchD and XPC to create a Privileged helper tool… 

Unfortunately I’m mostly a hopped up scripture, so I’m not very good at Obj-C development, so while I understand the high level concepts, I’m having a hard time applying this to AppleScript Obj-C.

What I want to do:
• Create a similar app to before, but using SMJobBless to init a privileged helper tool that would run the admin level commands and communicate results and progress (in the case of rsync) back to the Main app.

What I’ve learned so far:

• Seems like I need to use SMJobBless to init the helper tool,
• Then I can use NSXPCConnection to facilitate communication between the main app and helper.
• The stack seems very complicated to my eyes
• Best examples/docs I can find:

Apple’s “Even Better Authorization Sample"
https://developer.apple.com/library/mac/samplecode/EvenBetterAuthorizationSample/Listings/Read_Me_About_EvenBetterAuthorizationSample_txt.html

This article and sample on Modern Privileged helper tools, which uses the pre-NSXPCConnection C API
http://atnan.com/blog/2012/02/29/modern-privileged-helper-tools-using-smjobbless-plus-xpc/


Questions:

1. Is it even possible to do this in Applescript? Or does SMJobBless being more a C-level API and requiring AuthorizationRef’s and whatnot make this impossible?

2. Any pointers to tutorials or sample projects that do this in Applescript?  I’ve looked but barely even found tutorials for Cocoa / Obj-C that aren’t obsolete.

3. Am I stupid for even thinking about this? Should I just stick with do shell script and hope for the best?

Thanks in advance for any input offered.

Jeff
 _______________________________________________
Do not post admin requests to the list. They will be ignored.
applescriptobjc-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden

  • Follow-Ups:
    • Re: Privileged helper tool?
      • From: Robert DuToit <email@hidden>
  • Prev by Date: Re: Trying to create an sdef
  • Next by Date: Re: Privileged helper tool?
  • Previous by thread: Re: Trying to create an sdef
  • Next by thread: Re: Privileged helper tool?
  • Index(es):
    • Date
    • Thread