PDA

View Full Version : Provide Admin Privilege to other users




Tejashree
Jun 23, 2009, 02:46 AM
Hello,

In my application, I want a feature where user can delete some system privileged files. To achieve this, user need admin privileges i.e. user need to enter admin username and password.

My question - Is there any other way to provide the admin privilege to the user, if user doesn't know the admin username and password.

Please guide.

I have also read previous discussions on this topic
( http://forums.macrumors.com/showthread.php?t=658751&highlight=authorization ) and understood that user has to know admin credentials to perform this task.


Thanks,
Tejashree.



robbieduncan
Jun 23, 2009, 03:05 AM
My question - Is there any other way to provide the admin privilege to the user, if user doesn't know the admin username and password.

No. If there were this would be a major, fundamental security flaw in the OS.

dmmcintyre3
Jun 23, 2009, 05:22 AM
It involves messing with system files (as the admin).

You edit the sudoers file to allow the command nessesary to run (in this case the delete command) as a non admin. It would require the app to run the delete command in unix not the GUI though. Or you could write a shell script (set this command as anybody can run it[with or without their password your choice])with an applescript launcher that launches the app as root. I did this with my fan controller. I have almost forgotten I did that.

angelwatt
Jun 23, 2009, 07:45 AM
If it didn't require the user to know the admin credentials then I would consider it malicious software.

Tejashree
Jun 25, 2009, 12:55 AM
Thanks a lot for all the suggestions.

I am desperately want to find out the Best possible solution for this problem.

For editing sudoer file, user will need admin credentials and this will not be my application specific. It will affect all the users throughout the system.

I want to delete privileged files without providing admin credentials, as my user doesnt know admin username and password.

Please help if this is possible by any way.

Thanks,
Tejashree.

dmmcintyre3
Jun 25, 2009, 01:16 AM
For editing sudoer file, user will need admin credentials and this will not be my application specific. It will affect all the users throughout the system.

In sudoers give your app admin privileges?


Here is mine:
# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#

# Host alias specification

# User alias specification

# Cmnd alias specification

# Defaults specification
Defaults env_reset
Defaults env_keep += "BLOCKSIZE"
Defaults env_keep += "COLORFGBG COLORTERM"
Defaults env_keep += "__CF_USER_TEXT_ENCODING"
Defaults env_keep += "CHARSET LANG LANGUAGE LC_ALL LC_COLLATE LC_CTYPE"
Defaults env_keep += "LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME"
Defaults env_keep += "LINES COLUMNS"
Defaults env_keep += "LSCOLORS"
Defaults env_keep += "SSH_AUTH_SOCK"
Defaults env_keep += "TZ"
Defaults env_keep += "DISPLAY XAUTHORIZATION XAUTHORITY"
Defaults env_keep += "EDITOR VISUAL"

# Runas alias specification

# User privilege specification
root ALL=(ALL) ALL
%admin ALL=(ALL) ALL
%admin ALL=(ALL) NOPASSWD: /bin/g4fancontrol

# Uncomment to allow people in group wheel to run all commands
# %wheel ALL=(ALL) ALL

# Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL

# Samples
# %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users localhost=/sbin/shutdown -h now



This allows the app g4fancontrol in /bin/g4fancontrol to be run without password for all admins.
%admin ALL=(ALL) NOPASSWD: /bin/g4fancontrol

If your app is called Test and it is a GUI app in /Applications to allow all users (non admins) you would add the line to the file

%users /Applications/Test.app/Contents/Resources/Test NOPASSWD: /Applications/Test.app/Contents/Resources/Test
to allow the app admin privileges without passwords.

Replace %users with a short name (the one all lowercase without spaces) of the user you want.

angelwatt
Jun 25, 2009, 09:55 AM
In sudoers give your app admin privileges?

Editing the sudoer file requires knowing the admin credentials, which the OP states the users don't have.


If the users don't have admin privileges, then they shouldn't be able to affect system files because that goes against all of the security of the machine. What you're wanting to do is compromising the security of the system. Anything that gets around this is a hole in Apple's OS and would need to be fixed.

dmmcintyre3
Jun 25, 2009, 10:04 AM
Editing the sudoer file requires knowing the admin credentials, which the OP states the users don't have.


If the users don't have admin privileges, then they shouldn't be able to affect system files because that goes against all of the security of the machine. What you're wanting to do is compromising the security of the system. Anything that gets around this is a hole in Apple's OS and would need to be fixed.

He (the admin) could do it then the reg users could do what his program wants to do.

(there was an old exploit that anybody could gain admin but it is patched)

angelwatt
Jun 25, 2009, 11:53 AM
He (the admin) could do it then the reg users could do what his program wants to do.

He's not the user's admin though. He's just the developer.

Tejashree
Jul 6, 2009, 02:27 AM
Hello Thanks a lot for all the suggestions and help.

Finally, I have implemented (the deletion of privilege files) using very simple and standard technique i.e. Authorization mechanism with AuthorizationExecuteWithPrivileges API.

This is working very perfectly for all the files except 2. Those are:-

/System/private/var/log/secure.log
/System/private/var/log/system.log

My application try to delete these files. Immediately after executing my application, I am checking the status of these files from terminal using command "ls -l".
Terminal shows the latest time as a creation time.
I am not able to check/find out whether these were deleted by my application and created again or only modified by my application.

I also find out that these can be deleted from terminal using command "sudo rm -rf /private/var/log/secure.log" But I am not able to do this in my code.

Please guide how to delete these 2 files from my application.

Thanks,
Tejashree.

gnasher729
Jul 6, 2009, 03:15 AM
Hello Thanks a lot for all the suggestions and help.

Finally, I have implemented (the deletion of privilege files) using very simple and standard technique i.e. Authorization mechanism with AuthorizationExecuteWithPrivileges API.

This is working very perfectly for all the files except 2. Those are:-

/System/private/var/log/secure.log
/System/private/var/log/system.log

My application try to delete these files. Immediately after executing my application, I am checking the status of these files from terminal using command "ls -l".
Terminal shows the latest time as a creation time.
I am not able to check/find out whether these were deleted by my application and created again or only modified by my application.

I also find out that these can be deleted from terminal using command "sudo rm -rf /private/var/log/secure.log" But I am not able to do this in my code.

Please guide how to delete these 2 files from my application.

Thanks,
Tejashree.

I would like to hear an explanation why you would want to delete this files. The only two that come to mind are: 1. Your application does something it shouldn't that turns up in the log files and you have some stupid marketing people in your back who don't want users to see this. 2. You are trying to write a Trojan and want to cover up what it is doing.

I'd like to see a different reason, but I think I would consider any application that deletes log files to be malware.

Tejashree
Jul 6, 2009, 04:18 AM
I am creating a disk cleaning software on my MAC.

Please guide.

Thanks,
Tejashree.