PDA

View Full Version : Run Cocoa Application as Root user




ruhi
Jul 30, 2009, 12:08 AM
I want my cocoa application to run with its owner as root.

How can i dot this?

Thanks,
Ruhi.



gnasher729
Jul 30, 2009, 01:49 AM
I want my cocoa application to run with its owner as root.

How can i dot this?

Thanks,
Ruhi.

If you want to run as root, you are risking extreme damage to the system of the user. So you better have a very, very good reason to do this. Please explain what you want to achieve by running as root user.

ruhi
Jul 30, 2009, 07:31 AM
I want to enter a key value pair in Loginwindow.plist file in library/preferences to set my application at startup for all users.

Therefore, i need to run it as root user.

Please help !

Thanks,
Ruhi.

lee1210
Jul 30, 2009, 08:07 AM
You don't need to run as root to do this, you need to use Authorization Services (http://developer.apple.com/documentation/security/conceptual/authorization_concepts/01introduction/introduction.html) and perform this one task with escalated permissions.

-Lee

ruhi
Aug 10, 2009, 04:36 AM
Hello,

I am using authorization services .

Done following steps:


AuthorizationRef myAuthorizationRef;
OSStatus myStatus;
myStatus = AuthorizationCreate (NULL, kAuthorizationEmptyEnvironment, kAuthorizationFlagDefaults,
&myAuthorizationRef);

//set up rights and request authorization
AuthorizationItem myItems[1];
myItems[0].name = "com.mycompany.myapp";
myItems[0].valueLength = 0;
myItems[0].value = NULL;
myItems[0].flags = 0;
AuthorizationRights myRights;
myRights.count = sizeof (myItems) / sizeof (myItems[0]);
myRights.items = myItems;
AuthorizationFlags myFlags;
myFlags = kAuthorizationFlagDefaults | kAuthorizationFlagInteractionAllowed |
kAuthorizationFlagExtendRights;
myStatus = AuthorizationCreate (&myRights, kAuthorizationEmptyEnvironment,
myFlags, &myAuthorizationRef);

//// What else to do now so as to run this .app as root user.

}

Please help!!

I have studied a lot but not getting what is desired.

Thanks,
Ruhi.

gnasher729
Aug 10, 2009, 05:46 AM
Please help!!

I have studied a lot but not getting what is desired.

Thanks,
Ruhi.

You are getting what is desired by Apple and all Macintosh users, just not what _you_ desire. But nobody cares.

You seriously _don't_ want to run as a root user. If your application insists on running as root, running it on my computer at work would get me into very serious trouble with my boss, including a talk to Human Resources. Not that I would do it. If the grandchildren ran your application on the computer, it would get them into very serious trouble with me (like: Forever being banned from using my Mac).

It is typical when people don't listen:

A: I want to do X.
B: You really really don't want to do X. What are you trying to do?
A: I want to do X because I want to do Y.
C: Don't do X. In order to do Y, do these things...
A: I tried these things, but they don't let me do X.

At that point everyone pulls out their hair. Just do as Lee told you to change Loginwindow.plist.

ruhi
Aug 10, 2009, 06:13 AM
ok i got your point. sorry.

But i dnt get escalated privileges anywhere. So i thought it might be same as root.

The code tht i have posted is of help or i just wasted my time writing it.

Please give some direction where to start for escalated privileges.

Thanks,
Ruhi

robbieduncan
Aug 10, 2009, 06:27 AM
The only times I've ever used authorisation services I've always used a second executable (a command-line tool) embedded in the app to do the operation I wanted to execute with enhanced privileges. From memory this is what the documentation tells you to do and provides maximal security.

ruhi
Aug 10, 2009, 06:31 AM
what is to be written in command line utility? Do i need to code same as above or something is missing.

Will it also make my application trusted?

Thanks,
Ruhi

robbieduncan
Aug 10, 2009, 06:39 AM
what is to be written in command line utility? Do i need to code same as above or something is missing.

Will it also make my application trusted?

Thanks,
Ruhi

Read the documentation (03authtasks). You turn the results of the above into a serialised binary object and pass that to the helper tool (which as per the documentation can use the setuid bit to run as root).

Why are you not checking the return value (myStatus). It's possible that the user is not being authorised...

ruhi
Aug 10, 2009, 06:56 AM
Hello,

Thanks but the link is not working.

I am now totally confused. how to turn into binary.

everything getting messy.

Just to make my application trusted involves so much complicity?

can u explain me step by step? what i need to do.

Thanks,
Ruhi.

robbieduncan
Aug 10, 2009, 07:13 AM
Sorry, link is http://developer.apple.com/documentation/security/conceptual/authorization_concepts/03authtasks/authtasks.html#//apple_ref/doc/uid/TP30000995-CH206-BCIGAIAG

And it shows you what to do. In all seriousness if you can't get it working with the documentation then you probably shouldn't be writing code that runs at this level as have root/admin rights is very dangerous.

gnasher729
Aug 10, 2009, 07:15 AM
what is to be written in command line utility? Do i need to code same as above or something is missing.

Will it also make my application trusted?

Thanks,
Ruhi

Let me put it like this: If you can't manage to go to developer.apple.com, and type in "authorization" into a search box, then I am sure that I don't want to run an application written by you as root, and I don't want an application written by you to be run every time my Macintosh is started.

You are trying to get into areas where any minor mistake can be a major security risk for people using your applications. If Apple's documentation is confusing you, then sorry, but you shouldn't be doing this. This is like someone asking advice how to install a gas fire at their home, or how to use a chain saw, or how to repair a microwave oven: If you have to ask for advice, then DON'T DO IT.

ruhi
Aug 10, 2009, 07:21 AM
Thanks for your rude reply.

But i already told you i have read all about it. Doesn't it mean that i have read all these documentation.

Well Thanks for your support.

Its better to try and try by myself then wasting time to post queries expecting help.

Thanks,
Ruhi.