PDA

View Full Version : Sandboxing/Entitlements - requesting access to a directory




gwelmarten
Jun 3, 2012, 02:20 PM
Hi
Our app at the moment makes use of SH and echo to append a string to the end of a file in the /etc/ folder. Having this key in this location is critical to the apps functionality, and although we are working on an alternative place to store this key, it won't be fixed for the next couple of months.
What with Apple's Sandboxing requirements, it's no longer simple to get access to this location.
We were using something along the lines of:
NSTask *task;
task = [[NSTask alloc] init];
[task setLaunchPath: @"/bin/sh"];

NSArray *arguments;
arguments = [NSArray arrayWithObjects:@"-c", @"echo 'Random bit of text' >> /etc/relevant-file", nil];
[task setArguments: arguments];

NSPipe *pipe;
pipe = [NSPipe pipe];
[task setStandardOutput: pipe];

NSFileHandle *file;
file = [pipe fileHandleForReading];

[task launch];

NSData *data;
data = [file readDataToEndOfFile];

NSString *string;
string = [[NSString alloc] initWithData: data encoding: NSUTF8StringEncoding];
NSLog (@"grep returned:\n%@", string);
Also, we are no longer able to request authentication from a user to access this directory (again, Sandboxing requirements).
Is there a way to add an entitlement that gives us access to the /etc/ directory? A string I should be adding to the entitlements folder? I see you can request access to certain folders (user defined, pictures, etc), and wonder if I can get access via this method to the relevant folder.
Does anybody have any other ideas?
Thanks,
Sam



JoshDC
Jun 5, 2012, 12:55 PM
You can use temporary exceptions:

https://developer.apple.com/library/mac/#documentation/Miscellaneous/Reference/EntitlementKeyReference/AppSandboxTemporaryExceptionEntitlements/AppSandboxTemporaryExceptionEntitlements.html%23//apple_ref/doc/uid/TP40011195-CH5-SW1

In this case you will have to provide Apple with reasons why you need access to the files/folders you have listed, so I would try to be as specific as possible. While I have no experience of their policies with exceptions, I would expect read/write access to the entire "/etc/" directory would not be approved, but "/etc/relevant-file" would be assuming it is specific to your application.

Note that "temporary" means just that, and the exceptions will not exist forever.