• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
RE: simple root authentication for executing shell scripts
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: simple root authentication for executing shell scripts

  • Subject: RE: simple root authentication for executing shell scripts
  • From: "Huyler, Christopher M" <email@hidden>
  • Date: Tue, 7 Oct 2003 13:45:39 -0400
  • Thread-topic: simple root authentication for executing shell scripts
Hey, we have the same initials!

Tell me if this doesn't sound confusing. I write an interface, that
launches a tool. The interface tells the tool to launch a script which
launches another tool that actually launches our services. Add to that
a backup helper tool for when the finder modifies the tool's
permissions. The status code returned by the tool that launches the
service must be sent through 4 layers before it can get to the interface
that actually started it.

Why can't I just have the interface launch the script (see pseudo code
in my last email)? Granted the script could be altered but that
requires root access to edit the script, then root access again to
launch the script.

The pseudo code works as far as launching the script. However, The
actual uid (not euid) must be 0 (root) to use the DYLD_LIBRARY_PATH
environment variable. (Calling a setuid(geteuid()) would accomplish
this.) Our services expect this to be set prior to launching them which
is why we have a startup shell script that sets that variable and does a
bunch of other pre-startup tasks. Is there a way to do this using
AuthorizationExecuteWithPrivileges()?


-----Original Message-----
From: Chris Hanson [mailto:email@hidden]
Sent: Tuesday, October 07, 2003 11:23 AM
To: Huyler, Christopher M
Cc: email@hidden
Subject: Re: simple root authentication for executing shell scripts

>On Monday, October 6, 2003, at 01:38 PM, Huyler, Christopher M wrote:
>> Can someone point me to some simple code that will accomplish this?
I
>> looked at the MoreSecurity sample code and that seems like a lot of
>> code
>> to perform such a simple task.
>
>You need to create a small "helper tool" that can make itself setuid
>root using Authorization Services, and that can perform other tasks as
>root when passed an appropriate authorization and command via stdin.
>
>Apple's AuthSample and MoreAuthSample code samples will show you how to

>do this and explain what they're doing and why in explicit detail. It
>may look like a lot of code, but it's really not, and it's all there
>for a very good reason.
>
> -- Chris
_______________________________________________
cocoa-dev mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/cocoa-dev
Do not post admin requests to the list. They will be ignored.
  • Prev by Date: Re: [OT] serial number validation algorithm?
  • Next by Date: Re: launching 2 same applications
  • Previous by thread: Re: simple root authentication for executing shell scripts
  • Next by thread: DO: Protocols and Categories don't play nice
  • Index(es):
    • Date
    • Thread