Using Security framework to write self-limiting app without modifying /etc/authorization?
Using Security framework to write self-limiting app without modifying /etc/authorization?
- Subject: Using Security framework to write self-limiting app without modifying /etc/authorization?
- From: Piers Uso Walter <email@hidden>
- Date: Wed, 7 Oct 2009 23:06:46 +0200
I am trying to write a self-limiting application (i.e. an application
that asks for authorization before performing certain functions). I
have reviewed the Security framework which seems to be intended for
requirements like this, but fail to understand how this would work in
my specific case.
As far as I understand the self-limiting application defines a right,
which it then tries to acquire before performing the limited function.
If the administrator has defined this right in /etc/authorization (or
if the application has done so after having aquired administrator
authorization), that definition is used as the criteria for granting/
denying the right.
If, however /etc/authorization does not contain a definition for the
application-specific right, the security framework defaults to using
the default rule, which is to require explicit authorization as an
administrator.
My situation seems to be a little bit different. I would like the
application to specify the rule for aquiring the right (e.g.
authorization as a member of a certain group). I want this to work
out of the box, however, without requiring the administrator to
modify /etc/authorization beforehand, and without requiring the user
to enter an admin password in order to have the application "install"
the right definition into /etc/authorization.
(Of course, it would be nice if the site administrator would continue
to have the option to modify the requirements using /etc/
authorization, I just don't want to make this a requirement for using
the application.)
So I guess the question comes down to: is there a way to use the
Security framework (or any other system-supplied mechanism) to
perform authorization according to application-defined rules that
have not been added to /etc/authorization?
Is that even possible?
_______________________________________________
Cocoa-dev mailing list (email@hidden)
Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden