Re: Using Authorization Services with a Factored Application
Re: Using Authorization Services with a Factored Application
- Subject: Re: Using Authorization Services with a Factored Application
- From: OL&L Dev 2 <email@hidden>
- Date: Mon, 15 Dec 2003 14:23:15 -0800
Hi Simone,
There are a few issues you need to be aware of:
1) You must still do the self-repair work in your helper tool in case
someone copies your app to another volume which might break the
setuid bits. The best way in my experience to handle this is to
ignore the setuid bits on the helper tool file, self-repair, and then
inside your code do your own programmatic switching to priviledged
mode using Apple's MoreSecurity library. Taking this approach
completely eliminates your having to worry about the setuid bit issue.
2) I would recommend using Objective-C in your app but writing the
helper tool in pure C using CoreFoundation. Many of the Obj-C types
can be cast to corresponding CF types using toll-free bridging. You
can create a variable inside your helper tool that monitors what data
comes in so that you don't process the same data twice. You can put a
key in the request dictionary to the helper tool to signal the tool
that new data is coming in.
3) The re-authorization issue is a common problem. There is no way to
prevent the helper tool from quitting. The best way in my experience
to avoid this is to put the AuthorizationRef and possibly any rights
into your calling application. Have the calling app own the
AuthorizationRef, then simply pass it back to the helper tool
multiple times. Use the routines in Apple's MoreSecurity library to
execute the helper tool for you which will vastly simply your code
needed to call the tool. This way the app will authorize once, and if
you setup the rights and credentials properly, then the same
AuthorizationRef can be passed multiple times to the helper tool
without requiring the tool to reauthorize every time.
Hope this helps,
Orbital Launch & Lift, Inc.
http://www.orbitallaunch.com/
At 2:45 PM -0800 12/14/03, Simone Manganelli wrote:
>
I'm trying to implement authorization in my application, using
>
Authorization Services by factoring my application into the GUI
>
portion, and a helper tool to execute the authorized actions.
>
>
I understand that by using a factored application, I can allow a
>
user to be authorized to do certain actions indefinitely, instead of
>
using AuthorizationExecuteWithPrivileges, which is an expiring
>
right. The other thing that I've noticed is that in the
>
Authorization Services documentation, it states that the setuid bit
>
and owner are preserved when copying applications in Jaguar and
>
later, so since my application is only going to run on Jaguar and
>
later, I don't have to worry about doing self repair. Is this
>
correct?
>
>
Anwyay, here's my main question: I've figured out how to communicate
>
between processes using NSTask and NSPipe (which seems to work OK),
>
but the only problem is that when using an NSPipe (combined with an
>
NSFileHandle), I want to set up a way to notify the helper tool of
>
when new data has been passed to it, so that I don't accidentally
>
get two sets of data all at once from the file handle (using the
>
availableData method). NSFileHandle seems to have another method
>
that will help me do this (waitForDataInBackgroundAndNotify), but
>
this requires that I add the helper tool as an observer for
>
notifications. When I try to do this, I get an error with using
>
"self" in the code, because I'm not subclassing an NSObject which
>
makes that variable undefined.
>
>
The other thing is that the helper tool file doesn't like
>
Objective-C style methods (e.g.: -
>
(void)dataAvailable:(NSNotification *)theNotification; ) when
>
they're not inside a @implementation/@end construct, and that
>
requires a @interface/@end construct as well, effectively making my
>
helper tool another standard program instead of a helper tool.
>
>
I was wondering how to get around this limitation, or if there's a
>
better way to do what I want to avoid the problems I've been having.
>
The other minor question I had is how I prevent the helper tool from
>
quitting, so that the user doesn't have to authenticate to relaunch
>
the helper tool and perform more admin-priv operations (which is why
>
I even started trying to code the helper tool, anyway).
>
>
If anyone can provide any guidance with these issues, I'd be very grateful.
>
>
-- Simone Manganelli
>
_______________________________________________
>
cocoa-dev mailing list | email@hidden
>
Help/Unsubscribe/Archives:
>
http://www.lists.apple.com/mailman/listinfo/cocoa-dev
>
Do not post admin requests to the list. They will be ignored.
_______________________________________________
cocoa-dev mailing list | email@hidden
Help/Unsubscribe/Archives:
http://www.lists.apple.com/mailman/listinfo/cocoa-dev
Do not post admin requests to the list. They will be ignored.