• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Simple authorization question
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Simple authorization question

  • Subject: Re: Simple authorization question
  • From: James Bucanek <email@hidden>
  • Date: Wed, 4 Jul 2007 10:28:47 -0700
Martin Hairer <mailto:email@hidden> wrote (Wednesday, July 4, 2007 5:54 AM +0100):

Hi, I have a simple helper app that allows my main application to self-update. The helper app simply copies the updated application into the "Applications" folder. All works fine, as long as the user has admin privileges...

I tried to get the helper application to gain admin privileges by adding the line

[[SFAuthorization authorization] permitWithRight:kAuthorizationRightExecute
flags:(kAuthorizationFlagInteractionAllowed | kAuthorizationFlagExtendRights)];

into the -(void)awakeFromNib method. This shows the authorization dialog as expected, but even if a correct password is entered, the subsequent call to [[NSFileManager defaultManager] copyPath: ...] fails if the user is not an admin. What am I doing wrong? Intuitively, I expected to have to have to call permitWithRights:flags:environment:authorizedRights and to have to somehow pass the "authorizedRights" variable to the function that copies the files. However, Apple's documentation states:

Executing the Privileged Operation

You should use the result of the authorization to determine whether the user is allowed to perform the privileged operation. There are no Authorization Services functions required for actually executing the privileged operation.


which is rather confusing to me. 

This is confusing because you're clearly new to authentication. ;)

Let me try to clear up a few things. Hopefully this will get you going in the right direction.

I looked into using AuthorizationExecuteWithPrivileges, but this somehow seems overkill. I don't need root privileges and I don't want to create a useless security hole...

OK, first of all "administrative privileges" does not mean "make my user a member of the admin group." Regular admin users can change apps in /Applications because they are members of the admin group and the /Applications folder normally belongs to the admin group. This has absolutely nothing, whatsoever, to do with authentication or gaining administrative privileges.

However, generally you're on the right track.

A user who is not a member of the admin group can't change a file or directory that belongs to the admin group. So, these users need to gain the ability to change a directory object that they would normally not have access to. This is accomplished by becoming root, making the change, then setting your user back to normal.

The authorization call you made should grants your process administrative privileges. But being granted that right does not invoke that right. After the permitWithRight message returns successfully, it means that your process now has rights that it didn't have before. In other words, it doesn't change anything, it just removes barriers. Your process can now blithely perform operations that it was heretofore prohibited from doing (that's what the documentation paragraph is trying to explain -- once you have the rights to do something, you simply do it).

One of these rights is the ability to change the effective user ID of your process. Now that your process has administrative privileges, it can temporarily become the root user:

    seteuid(0);

This call changes the effective UID of your process to root. Your process is now running as the root user. Copy your files, then set it back to the user's normal EUID:

    seteuid(getuid());

For the best security, keep the amount of time you are running as root to a minimum. Also remember that since you're running as root any files/directories you create will (by default) belong to root. This is probably not what you want, so make sure you explicitly specify the uid and gid of files that you create so they belong to the user that performed the upgrade when you're done.

--
James Bucanek

_______________________________________________

Cocoa-dev mailing list (email@hidden)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden




  • Follow-Ups:

      

    • Re: Simple authorization question

      • From: Alastair Houghton <email@hidden>
      • 





References: 


 >Simple authorization question (From: Martin Hairer <email@hidden>)






    

  • Prev by Date:
Re: NSTokenFieldCell issues

    • 

  • Next by Date:
Re: How to find the position of an NSCell?

    • 

  • Previous by thread:
Simple authorization question

    • 

  • Next by thread:
Re: Simple authorization question

    • 

  • Index(es):

      

    • Date
      • 

    • Thread
      • 

    

    •