1. Welcome to the new MacRumors forums. See our announcement and read our FAQ

Provide Admin Privilege to other users

Discussion in 'Mac Programming' started by Tejashree, Jun 23, 2009.

  1. macrumors newbie



    In my application, I want a feature where user can delete some system privileged files. To achieve this, user need admin privileges i.e. user need to enter admin username and password.

    My question - Is there any other way to provide the admin privilege to the user, if user doesn't know the admin username and password.

    Please guide.

    I have also read previous discussions on this topic
    ( http://forums.macrumors.com/showthread.php?t=658751&highlight=authorization ) and understood that user has to know admin credentials to perform this task.

  2. Moderator


    Staff Member

    No. If there were this would be a major, fundamental security flaw in the OS.
  3. macrumors 68020


    You can but...

    It involves messing with system files (as the admin).

    You edit the sudoers file to allow the command nessesary to run (in this case the delete command) as a non admin. It would require the app to run the delete command in unix not the GUI though. Or you could write a shell script (set this command as anybody can run it[with or without their password your choice])with an applescript launcher that launches the app as root. I did this with my fan controller. I have almost forgotten I did that.
  4. Moderator emeritus


    If it didn't require the user to know the admin credentials then I would consider it malicious software.
  5. macrumors newbie


    Thanks a lot for all the suggestions.

    I am desperately want to find out the Best possible solution for this problem.

    For editing sudoer file, user will need admin credentials and this will not be my application specific. It will affect all the users throughout the system.

    I want to delete privileged files without providing admin credentials, as my user doesnt know admin username and password.

    Please help if this is possible by any way.

  6. macrumors 68020


    In sudoers give your app admin privileges?

    Here is mine:
    # sudoers file.
    # This file MUST be edited with the 'visudo' command as root.
    # See the sudoers man page for the details on how to write a sudoers file.
    # Host alias specification
    # User alias specification
    # Cmnd alias specification
    # Defaults specification
    Defaults	env_reset
    Defaults	env_keep += "BLOCKSIZE"
    Defaults	env_keep += "COLORFGBG COLORTERM"
    Defaults	env_keep += "__CF_USER_TEXT_ENCODING"
    Defaults	env_keep += "LINES COLUMNS"
    Defaults	env_keep += "LSCOLORS"
    Defaults	env_keep += "SSH_AUTH_SOCK"
    Defaults	env_keep += "TZ"
    Defaults	env_keep += "EDITOR VISUAL"
    # Runas alias specification
    # User privilege specification
    root	ALL=(ALL) ALL
    %admin	ALL=(ALL) ALL
    %admin 	ALL=(ALL)	NOPASSWD: /bin/g4fancontrol
    # Uncomment to allow people in group wheel to run all commands
    # %wheel	ALL=(ALL)	ALL
    # Same thing without a password
    # %wheel	ALL=(ALL)	NOPASSWD: ALL
    # Samples
    # %users  ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
    # %users  localhost=/sbin/shutdown -h now

    This allows the app g4fancontrol in /bin/g4fancontrol to be run without password for all admins.
    %admin 	ALL=(ALL)	NOPASSWD: /bin/g4fancontrol
    If your app is called Test and it is a GUI app in /Applications to allow all users (non admins) you would add the line to the file

    %users	/Applications/Test.app/Contents/Resources/Test	NOPASSWD: /Applications/Test.app/Contents/Resources/Test 
    to allow the app admin privileges without passwords.

    Replace %users with a short name (the one all lowercase without spaces) of the user you want.
  7. Moderator emeritus


    Editing the sudoer file requires knowing the admin credentials, which the OP states the users don't have.

    If the users don't have admin privileges, then they shouldn't be able to affect system files because that goes against all of the security of the machine. What you're wanting to do is compromising the security of the system. Anything that gets around this is a hole in Apple's OS and would need to be fixed.
  8. macrumors 68020


    He (the admin) could do it then the reg users could do what his program wants to do.

    (there was an old exploit that anybody could gain admin but it is patched)
  9. Moderator emeritus


    He's not the user's admin though. He's just the developer.
  10. macrumors newbie


    Hello Thanks a lot for all the suggestions and help.

    Finally, I have implemented (the deletion of privilege files) using very simple and standard technique i.e. Authorization mechanism with AuthorizationExecuteWithPrivileges API.

    This is working very perfectly for all the files except 2. Those are:-


    My application try to delete these files. Immediately after executing my application, I am checking the status of these files from terminal using command "ls -l".
    Terminal shows the latest time as a creation time.
    I am not able to check/find out whether these were deleted by my application and created again or only modified by my application.

    I also find out that these can be deleted from terminal using command "sudo rm -rf /private/var/log/secure.log" But I am not able to do this in my code.

    Please guide how to delete these 2 files from my application.

  11. macrumors G5


    I would like to hear an explanation why you would want to delete this files. The only two that come to mind are: 1. Your application does something it shouldn't that turns up in the log files and you have some stupid marketing people in your back who don't want users to see this. 2. You are trying to write a Trojan and want to cover up what it is doing.

    I'd like to see a different reason, but I think I would consider any application that deletes log files to be malware.
  12. macrumors newbie


    I am creating a disk cleaning software on my MAC.

    Please guide.


Share This Page