Clever Geek Handbook

How can I pre-authorize authopen?

I am using authopen

inside one of my programs to modify files owned by root. As you can see in the screenshot below authopen

, the administrator password is requested. What I would like to achieve is that the dialog displays my application name and then authorization is passed to authopen

.

authopen requires that you type your password.

code

Startup authopen

that returns an authorized file descriptor.

int pipe[2];

socketpair(AF_UNIX, SOCK_STREAM, 0, pipe);

if (fork() == 0) {      // child
    // close parent pipe
    close(pipe[0]);
    dup2(pipe[1], STDOUT_FILENO);

    const char *authopenPath = "/usr/libexec/authopen";
    execl(authopenPath,
          authopenPath,
          "-stdoutpipe",
          [self.device.devicePath fileSystemRepresentation],
          NULL);

    NSLog(@"Fatal error, we should never reach %s:%d", __FILE__, __LINE__);
    exit(-1);
} else { // parent
    close(pipe[1]);
}

// get file descriptor through sockets

I would really like not to use AuthorizationExecuteWithPrivileges

, because then I will have to get more rights than I want.

+2


source to share


4 answers


Apple added an option inauthopen

OS X 10.9 Mavericks that allows just that. Previously, this seemed impossible.

-extauth

indicates that authopen should read a single AuthorizationExternalForm structure from stdin, convert it to AuthorizationRef, and try to use it to authorize the public (2) operation.

The authorization must refer to the sys.openfile rule that matches the requested operation.

Authorization data will be read before any additional data specified in stdin

, and will not be included in data written with -w

.



I haven't used this yet, so I don't have a sample code. If anyone has it please add it to this answer.

0


source


I think that if you give your application path in the first arg argument:

execl(authopenPath,
      "app path", // <--
      "-stdoutpipe",
      [self.device.devicePath fileSystemRepresentation],
      NULL);


the dialog will show:

"<b> <i> app name

requires that you type your password

"

0


source


You need to look directly at the security infrastructure introduced in 10.4, I think, and has been the main source of permissions since 10.5. OSX still runs in PAM (like Linux), but / etc / authorization now replaces that. Apple has one or two code examples where you could pragmatically create a class / entry for someone who would authorize themselves (or pre-authorize / be pre-authorized like people who are allowed to type).

-1


source


This question is old, but it seems to be possible, as explained in this technical note: TN2095 technical note: Authorization for everyone http://developer.apple.com/library/mac/#technotes/tn2095/_index.html

-1


source






More articles:


All Articles