• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Using MoreSCF
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Using MoreSCF

  • Subject: Re: Using MoreSCF
  • From: Quinn <email@hidden>
  • Date: Mon, 7 Oct 2002 17:29:38 +0100
At 16:54 +0100 7/10/02, email@hidden wrote:
The thing I thought was strange is that my network settings weren't
locked, so when I wasn't logged in as root user, I thought it should have
worked. I.e. The lock in the network settings is unlocked.

This lock is managed entirely within System Preferences. System Preferences has an EUID 0 backend process that it uses to commit SCF changes. The lock prevents that process from doing commits. It has nothing to do with the SCF or Auth APIs.

Any ideas, how I can my application to temporally to have root access when
setting up the configuration items, and then loose the privilege ???.

I have seen the AuthSample, but this says that GUI applications shouldn't
be able to have root privileges which seems strange to me, and the sample is
presently confusing.

I would have thought, that if a process wants root privileges, the process
calls an API, which causes a dialog to appear similar to clicking on the
unlock button in the system preferences (network settings), so the user is
fully aware that we are going to change something.

This isn't possible, at least not in the way you want. The only way for a BSD process to upgrade its privileges is for it to exec a setuid program. You can't call an API to upgrade your preferences. This means that you really need to split your application into the front-end GUI part that runs with the user's EUID, and a back-end helper tool that runs as EUID 0. While I understand that AuthSample is a little complicated, it's the only way to resolve the conflicting requirements of having your GUI process not run as EUID 0 and being able to make changes that require EUID 0.

btw This stuff is explained fairly well in the Auth Services docs.

<http://developer.apple.com/techpubs/macosx/CoreTechnologies/securityservices/authorizationservices/authservices.html>

We're also working on new documentation to cover these issues in great depth.

S+E
--
Quinn "The Eskimo!" <http://www.apple.com/developer/>
Apple Developer Technical Support * Networking, Communications, Hardware
_______________________________________________
macnetworkprog mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/macnetworkprog
Do not post admin requests to the list. They will be ignored.
References: 
 >Using MoreSCF (From: <email@hidden>)

  • Prev by Date: Using MoreSCF
  • Next by Date: Re: Using MoreSCF
  • Previous by thread: Using MoreSCF
  • Next by thread: Re: Using MoreSCF
  • Index(es):
    • Date
    • Thread