Where are the AuthorizationRights listed?
Where are the AuthorizationRights listed?
- Subject: Where are the AuthorizationRights listed?
- From: Murray Todd Williams <email@hidden>
- Date: Mon, 5 Nov 2001 18:19:19 -0500
Today has been "Learning the Security Framework Day" for me. It actually
seems to be fairly straightforward, except...
I don't know what AuthorizationString to use for the permissions I want
to request. I see in AuthorizationTags.h macro definitions for strings
like "username", "password", "shared", and "system.privilege.admin".
I'm trying to make my application modify some system (ODBC Database)
configuration files that are owned by root and read-only for everyone
else. I would love to define some nice fine-grained permission set so
that the application ONLY has access to this root-owned file so that no
clever hackers figure out a way to use my program as a security exploit.
(Not likely, but I like to err on the side of caution when it comes to
security.)
Looking at the AuthorizationTags.h header comments it looks as though
kAuthorizationRightExecute totally ignores the value passed to it and
just bumps the process up to some generic "Administrator/God" level:
"system.privilege.admin".
Question 1: Am I right? Am I really just asking for general Admin
permissions here? if so, is it adequate to use this specific permission,
toss in a dumb-dumb value for the parameter (ostensibly the file about
to be executed) and use "system.privilege.admin"? Will this break in the
future if kAuthorizationRightExecute actually gets defined in the future
as a permission to execute only a specific file?
Question 2: Are there any other valid strings than "username",
"password", "shared" and "system.privilege.admin"?
Cheers,
Murray