• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Running an application owned by a different user
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Running an application owned by a different user


  • Subject: Re: Running an application owned by a different user
  • From: Paul Forgey <email@hidden>
  • Date: Sat, 8 Apr 2006 23:20:28 -0700

Generally speaking, suid executables are usually a Bad Idea. There are very, very few cases where there is no other way to do it, like sudo or login. If the target user is privileged your application could be abused to gain elevated privileges. Also it won't always work of the bundle is hosted on a network or removable drive.

I'd use Authorization Services to become root, then suid to the user you want to. I'm not too familiar with the finer points of Authorization Services, but I know it can spawn executables as root after getting the credentials of a privileged user. That executable could be a resource in your bundle that calls suid () on a desired user and then either exec's the program you want to run or calls Launch Services to do it and then exit.

On Apr 8, 2006, at 1:45 PM, Greg Herlihy wrote:

Setting the SUID file bit (chmod +s) on the other application's executable
will cause that application to run with the account that owns the executable
and not with the account that actually launched it. So as long as the other
user's account owns the other application's executable, then having the
owner account set the executable file's SUID bit should be all that is
required to have that other application run with the other user's account -
no matter which account actually launches it.


Note that no special authorization is needed here because the owner of a
file is always able to set its SUID bit. In other words, setting a file's
SUID bit on does not require special authorization or root privileges
(unless the owner of the file is the root account, of course).


Greg


On 4/8/06 5:53 AM, "Andrew Bush" <email@hidden> wrote:

Hi all,

I suspect this isn't the correct mailing list for this question, but Im
not sure where else to ask it...suggestions are welcome..


...it may even be a stupid question...

I need to be able to make my cocoa application run a separate gui
application that exists only in the application directory of a
different user to the one currently logged in.

I want the other application to run only with access only to *its user*
preferences/application support etc....so making a copy across to the
current user and using chmod on it will not work because doing so will
cause it to access the filesystem available to the *current* user,
whereas I want it to be restricted to only the parts of the file system
available to its owning user.


is there any sensible way to do this?  where would I start looking?


thanks for any help.


Yours cheerfully,


Andrew Bush

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Cocoa-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden


 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Cocoa-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden

_______________________________________________ Do not post admin requests to the list. They will be ignored. Cocoa-dev mailing list (email@hidden) Help/Unsubscribe/Update your Subscription: This email sent to email@hidden
  • Follow-Ups:
    • Re: Running an application owned by a different user
      • From: "Finlay Dobbie" <email@hidden>
    • Re: Running an application owned by a different user
      • From: Uli Kusterer <email@hidden>
References: 
 >Re: Running an application owned by a different user (From: Greg Herlihy <email@hidden>)

  • Prev by Date: Re: cocoa scripting
  • Next by Date: Re: Function definitions
  • Previous by thread: Re: Running an application owned by a different user
  • Next by thread: Re: Running an application owned by a different user
  • Index(es):
    • Date
    • Thread