Re: Authorization with NSTask
Re: Authorization with NSTask
- Subject: Re: Authorization with NSTask
- From: David Remahl <email@hidden>
- Date: Thu, 3 Jul 2003 11:37:40 +0200
John,
The use of AuthorizationExecuteWithPrivileges() is deprecated in most
cases. You should instead create a setuid tool (you can make it
self-repairing, by using AuthorizationExecuteWithPrivileges() in the
special case when it lost its setuid status) and use the other Security
framework mechanisms to request authorization to perform a certain
action. You then pass the authorization ref data to the setuid tool,
which verifies its authenticity and performs whatever action it finds
necessary.
You should probably create a setuid tool which acts as a trampoline for
the /usr/local/bin/pg_ctl program. You can then launch your setuid tool
(stored inside of your bundle) using NSTask, and then use NSTask in the
setuid tool to launch the pg_ctl program (which will inherit the root
privileges of the setuid tool).
There are examples of using this separation of code requiring root
access and a bigger program running without special privileges on
Apple's site.
/ Regards, David Remahl
On torsdag 3 juli 2003, at 11.14AM, John Lombardo wrote:
Using Apple's Moriaty and Stepwise's SecurityTutorial, I've figured
out how
to use NSTasks to execute system tasks, as well as using
AuthorizationExecuteWithPrivileges(...) to run particular executable
(such
as /usr/local/bin/pg_ctl) as root. What I can't figure out is how to
combine
the two, to run a NSTask as root.
This is the only way I have found to execute a task with root
privileges...
err = AuthorizationExecuteWithPrivileges(authorizationRef,
"/usr/local/bin/pg_ctl", 0, args, &pipe);
Is there a way, using NSTasks that I have not found in Apple's
reference
PDFs?
Cheers,
John
_______________________________________________
cocoa-dev mailing list | email@hidden
Help/Unsubscribe/Archives:
http://www.lists.apple.com/mailman/listinfo/cocoa-dev
Do not post admin requests to the list. They will be ignored.