Re: Running an application owned by a different user
Re: Running an application owned by a different user
- Subject: Re: Running an application owned by a different user
- From: Paul Forgey <email@hidden>
- Date: Sat, 8 Apr 2006 23:20:28 -0700
Generally speaking, suid executables are usually a Bad Idea. There
are very, very few cases where there is no other way to do it, like
sudo or login. If the target user is privileged your application
could be abused to gain elevated privileges. Also it won't always
work of the bundle is hosted on a network or removable drive.
I'd use Authorization Services to become root, then suid to the user
you want to. I'm not too familiar with the finer points of
Authorization Services, but I know it can spawn executables as root
after getting the credentials of a privileged user. That executable
could be a resource in your bundle that calls suid () on a desired
user and then either exec's the program you want to run or calls
Launch Services to do it and then exit.
On Apr 8, 2006, at 1:45 PM, Greg Herlihy wrote:
Setting the SUID file bit (chmod +s) on the other application's
executable
will cause that application to run with the account that owns the
executable
and not with the account that actually launched it. So as long as
the other
user's account owns the other application's executable, then having
the
owner account set the executable file's SUID bit should be all that is
required to have that other application run with the other user's
account -
no matter which account actually launches it.
Note that no special authorization is needed here because the owner
of a
file is always able to set its SUID bit. In other words, setting a
file's
SUID bit on does not require special authorization or root privileges
(unless the owner of the file is the root account, of course).
Greg
On 4/8/06 5:53 AM, "Andrew Bush" <email@hidden> wrote:
Hi all,
I suspect this isn't the correct mailing list for this question,
but Im
not sure where else to ask it...suggestions are welcome..
...it may even be a stupid question...
I need to be able to make my cocoa application run a separate gui
application that exists only in the application directory of a
different user to the one currently logged in.
I want the other application to run only with access only to *its
user*
preferences/application support etc....so making a copy across to the
current user and using chmod on it will not work because doing so
will
cause it to access the filesystem available to the *current* user,
whereas I want it to be restricted to only the parts of the file
system
available to its owning user.
is there any sensible way to do this? where would I start looking?
thanks for any help.
Yours cheerfully,
Andrew Bush
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Cocoa-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Cocoa-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Cocoa-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden