Re: Running EUID as root (was Re: libpcap in Cocoa)
Re: Running EUID as root (was Re: libpcap in Cocoa)
- Subject: Re: Running EUID as root (was Re: libpcap in Cocoa)
- From: Eric Peyton <email@hidden>
- Date: Tue, 21 Aug 2001 08:19:12 -0500
On Monday, August 20, 2001, at 10:52 PM, Todd Heberlein wrote:
From: Ivan Myrvold <email@hidden>
Yes, that got it through the compile and link cycle without
errors. Thank you for holding my hand through this!
Glad we could help.
Now if you can figure out how to open that pcap tap live (which requires
root privilege), I would love to hear about it.
If I set my program to be SUID root it works fine, but I cannot figure
out how to get the Security Framework to move my process running with my
effective UID into an effective UID of root.
You cannot change an application that is not setuid(root) or run by root
from the euid of an arbitrary user to the euid of root. The MacOSX
underlying BSD/kernel implementation prevents it. A user application
can NEVER become root. You will either need to ...
a) install your application setuid(root)
b) teach your users how to run your application as root
c) encapsulate your pcap code in a unix tool that is setuid(root) and
communicate back with the main app in some manner
c) encapsulate your pcap code in a unix tool that is run from your main
application and could be launched with
ApplicationExecuteWithPrivileges() and communicates back with the main
app in some manner.
There are a number of
examples of using the Security Framework to
AuthorizeExecuteWithPrivileges() another progam (e.g., at Stepwise), but
I want my own process to run in root mode.
Then it needs to be installed in "root mode".
I have seen some interesting behavior during experiments. For example,
sometimes the program prompts me for my username and password, and
sometimes it doesn't. Is the system caching the results somewhere?
Yes, the security server caches the passwords and current authorizations
for a specific period of time. In Mac OS X 10.0.x I do not believe
there is a way to control this timeout. I also believe at some time in
the future you will be able to configure this (along with who does and
does not see the panels, etc. I do not know the time frame for this
configurability.
Also, if I want to run EUID==root, should I enter root's username and
password, or should I use my own?
You can enter any name that will authorize, however your app will never
run with EUID==root.
Eric
Any suggestions?
Todd
_______________________________________________
cocoa-dev mailing list
email@hidden
http://www.lists.apple.com/mailman/listinfo/cocoa-dev