Re: Privileged helper tool?
Re: Privileged helper tool?
- Subject: Re: Privileged helper tool?
- From: Robert DuToit <email@hidden>
- Date: Fri, 08 Aug 2014 15:25:28 -0400
Hi Jeff,
I have spent several years working with root privileges with my ASObjC app backupList+ that uses rsync to copy files. I have used the "do shell script with admin privs” for some time but in mavericks it will freeze the UI, if you have one such as a progress window. I think this might be fixed a bit in Yosemite - have to test more. I successfully rewrote the whole project in OBJc a couple years ago using the old Better Authorization Sample which was hairy to get through, especially the communication with helper tool bits. I returned to "do shell…” since it was just too ponderous.
I have got SMJobBless to work for the helper installation etc. now which is way less complicated but have to delve into the helper communications. In the mean time I have done what SuperDuper does and use a setuid on the helper tool to run the tasks. This is totally frowned upon by Apple but SuperDuper is #1 in backup/cloning for years so I feel ok about it till I can work out the new and approved ways. There really should be a simpler method of root access that is safe. Mike Bombich (Carbon Copy Cloner) uses the apple preferred way of root privileges with his rsync backups and really has it down but I haven’t been able to get that far yet.
You will definitely have to do all the communications in OBJc, C as well as helper tool but I think you can put that all inside your ASObjC app.
Any questions feel free to ask . You are not alone. There isn’t a whole lot info out there on how to do all this, as you have seen.
Rob
On Aug 8, 2014, at 12:26 PM, Jeff Dyck <email@hidden> wrote:
> Thanks for the sounding board the other day re: the rsync issue.
>
> I have another, higher concept question that I’d appreciate any input on…
>
> Background:
>
> Years ago I developed an internal user backup and migration tool in Applescript Studio, which is basically a wrapper around rsync / ditto with a bunch of logic built in to help our techs in backing up and migrating users to new computers. Unfortunately, maintaining this project now requires a VM of Snow Leopard with Xcode 3 and I’d like to recode this in AppleScript Obj-C.
>
> Currently the program asks for an admin user/password on launch, which it then keeps internally so it can run a bunch of commands without requiring our techs to keep entering the admin password - it uses these credentials to do things like: calculate number of files or total size of a user's home folder; enable file sharing; turn off sleep; run the rsync / ditto commands; etc. I did all of this using ‘do shell script as administrator’ and it’s worked brilliantly the past 5 years.
>
> With Apple’s tightening security, I’m starting to think the ‘do shell script as admin’ might not have much more life left, so I’ve been researching the more modern, Apple approved methods of privilege escalation, which has led me down a rabbit hole of conflicting information and obsolete documentation, and finally to a combination of SMJobBless, LaunchD and XPC to create a Privileged helper tool…
>
> Unfortunately I’m mostly a hopped up scripture, so I’m not very good at Obj-C development, so while I understand the high level concepts, I’m having a hard time applying this to AppleScript Obj-C.
>
> What I want to do:
> • Create a similar app to before, but using SMJobBless to init a privileged helper tool that would run the admin level commands and communicate results and progress (in the case of rsync) back to the Main app.
>
> What I’ve learned so far:
>
> • Seems like I need to use SMJobBless to init the helper tool,
> • Then I can use NSXPCConnection to facilitate communication between the main app and helper.
> • The stack seems very complicated to my eyes
> • Best examples/docs I can find:
>
> Apple’s “Even Better Authorization Sample"
> https://developer.apple.com/library/mac/samplecode/EvenBetterAuthorizationSample/Listings/Read_Me_About_EvenBetterAuthorizationSample_txt.html
>
> This article and sample on Modern Privileged helper tools, which uses the pre-NSXPCConnection C API
> http://atnan.com/blog/2012/02/29/modern-privileged-helper-tools-using-smjobbless-plus-xpc/
>
>
> Questions:
>
> 1. Is it even possible to do this in Applescript? Or does SMJobBless being more a C-level API and requiring AuthorizationRef’s and whatnot make this impossible?
>
> 2. Any pointers to tutorials or sample projects that do this in Applescript? I’ve looked but barely even found tutorials for Cocoa / Obj-C that aren’t obsolete.
>
> 3. Am I stupid for even thinking about this? Should I just stick with do shell script and hope for the best?
>
> Thanks in advance for any input offered.
>
> Jeff
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> applescriptobjc-dev mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
applescriptobjc-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden