Re: Using the security framework
Re: Using the security framework
- Subject: Re: Using the security framework
- From: Joe Turner <email@hidden>
- Date: Thu, 22 Jan 2009 21:15:30 -0600
On Jan 22, 2009, at 4:57 PM, Nick Zitzmann wrote:
On Jan 22, 2009, at 4:09 PM, Joe Turner wrote:
I see. Then, how would you suggest to create a cloner/deleter, if
it needs root privileges, but cannot use the security framework?
I didn't say you couldn't use the security framework. I said you
ought to consider re-thinking your strategy.
And, since running scripts from root is dangerous, then is there
any good way to be able to delete protected (not your user account)
files? Or, should I just have it copy or delete files the user has
access to?
There's nothing wrong with running scripts strictly as root, since a
lot of system scripts are run this way. But AEWP() doesn't run
executables as root; it runs them as the user with root privileges.
There's an important difference.
Instead of running a shell script, run another non-GUI command line
tool of your making with AEWP() that does the required privileged
task(s). Running shell code with root privileges as some user is
possible, but it's an easy attack vector due to the inheritance of
the user's shell environment. Running a command line tool is a bit
more difficult to hack (but still possible if someone is determined
enough). Plus, then you can use NSFileManager. :)
You could even take security to the extreme, as I once did in an
application, and check signatures before calling AEWP(), but that's
probably too extreme, as it's unlikely someone will rewrite or
replace your executable unless the file system gave them permission
to do so.
Okay, I guess I should just put scheduling without needing the
password to the back of my queue.
I have one more question (sorry for all of these questions): If I call
AuthorizationCopyRights() every 280 (or anything less than 300 secs)
during the clone, will it keep the authorization alive (no need to
enter password again)?
Thanks for all your help–You have no idea how much it means to me :)
Cheers,
Joe Turner
Nick Zitzmann
<http://www.chronosnet.com/>
_______________________________________________
Cocoa-dev mailing list (email@hidden)
Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden