Re: Privileged write to file
Re: Privileged write to file
- Subject: Re: Privileged write to file
- From: Nicko van Someren <email@hidden>
- Date: Wed, 10 Mar 2004 12:00:05 +0000
On 10 Mar 2004, at 11:37, Sam McCandlish wrote:
I don't really understand the usefulness of setuid root. If a program
wasn't setuid root, it wouldn't be called anyways if the person did
not have a password. Right?
If you want to write to a file that is only writable as root then the
process doing the writing has to run as root. In order for your user
to have the code run as root they have two options. One is to use some
privilege escalation mechanism such as having
AuthorizationExecuteWithPrivileges() run the code. The other is for
the program to be a setuid program, which means that when the program
is run it acquires the privileges of the file owner, irrespective of
the user who runs the program. If the file is owned by root then when
it is run the process runs as root, not as the user who ran the
program.
When you are writing OS X code that needs to modify system files that
are only writable by root you should, in general, carry out some
authorisation process before you do so. Although the current versions
of OS X don't really provide very comprehensive tools for managing this
there is a rich underlying authorisation system built in to the OS.
(In 10.3 there are some new API calls for programmatically examining
and modifying the rights database but there is still no UI for this.)
The ability to use the generic privileged execution of code is one of
the rights managed by the authorisation system
(kAuthorizationRightExecute) but you can define your own rights and
have them granted separately. My suggestion is that you should make
the program that writes the config file be a setuid root program, but
that that program should call AuthorizationCreate() specifying some
"right" defined by you (the documentation for the AuthorizationItem
type suggests using rights strings of the form
"com.myOrganization.myProduct.myRight") and it should only change the
config file if the user has the correct rights. The
AuthorizationCreate() function will prompt the user for passwords etc.
if the authorisation database requires this but the system
administrator can specify different policies, including letting
everyone have this right all the time. By default if the right is not
specified in the database then it is only available to users with Admin
accounts, which is clearly the correct default for something that is
going to write to a system configuration file.
For more complete information see:
http://developer.apple.com/documentation/Security/Reference/
authorization_ref/index.html
I hope this helps.
Nicko
_______________________________________________
cocoa-dev mailing list | email@hidden
Help/Unsubscribe/Archives:
http://www.lists.apple.com/mailman/listinfo/cocoa-dev
Do not post admin requests to the list. They will be ignored.