site_archiver@lists.apple.com Delivered-To: darwin-kernel@lists.apple.com -- Terry _______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-kernel mailing list (Darwin-kernel@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-kernel/site_archiver%40lists.a... On Jan 5, 2007, at 7:02 PM, Greg wrote: Hi, I'm writing a kext that uses the kauth facilities and was wondering whether it is possible to wait for user input from a userland application connected to the kext through an IOUserClient object in the middle of making the decision of whether or not a file system operation will be allowed. Essentially I would like to send a notification to the user in my kauth_listener function, wait for their decision, and then decide based on that whether to allow or disallow the file system operation in question. I haven't worked in the kernel before and am worried that this behavior may cause the entire system to hang. It will likely cause the system to hang, if you are asking for authentication on every authorization request, rather than e.g. on a specific file. Even then, it's mostly, that's not a good idea. In general, if your user space client application ends up making any FS calls, it will end up blocked behind itself authorizing itself to make those calls (e.g. if it needs to access a password file, or needs to open a resource file to display a localized string in a dialog, and so on). A good model to follow in this regard is the ssh-agent model. In that model, the ssh-agent will turn around authorization requests immediately, and if you want a session authorized to it, then you use ssh-add. This divorces the user input for granting of authorization from the daemon that turns around the requests (all requests are denied unless you are authorized). This works best if the application itself knows about authorization (i.e. if ssh-agent is not running, or if you have not authorized yourself to it via ssh-add, it'll ask you for the password instead when it can't get it from the agent). This email sent to site_archiver@lists.apple.com