System Administrator Password
Archives Forums/MacOS X Discussion/System Administrator Password
| ||
| I would like to grant root access to my application, many MacOS applications that do this pop up a dialogue for the System Administration password, has anyone figured out to do this? I have BMax + BMaxGui I use OSX 10.3 Server, OSX 10.4 Server, OSX 10.4 Tiger |
| ||
| Hi, The best lead I have found so far is this article: http://developer.apple.com/documentation/Security/Conceptual/authorization_concepts/index.html#//apple_ref/doc/uid/TP30000995 However, I have not yet used it and cannot tell if it is of any help. |
| ||
| I think i'm stuffed, the only way I can get my app to work is to run it in root user mode, but I have a user complaining that the root user doesnt have a folder in the user folder. I instructed him on making an alias, but it is such a simple tool that it should just be able to authenticate itself. That document refers to xcode usage, the last example seems to show the way, but I dont want to start over in xcode. I bought BlitzMax for doing these small applications because I find Blitz easier, must I really learn Xcode :(. |
| ||
I think it basically comes down to this function that needs to be wrapped:
#include <assert.h>
#include <Carbon/Carbon.h>
#include <Security/Security.h>
extern OSStatus AcquireRight(const char *rightName)
// This routine calls Authorization Services to acquire
// the specified right.
{
OSStatus err;
static const AuthorizationFlags kFlags =
kAuthorizationFlagInteractionAllowed
| kAuthorizationFlagExtendRights;
AuthorizationItem kActionRight = { rightName, 0, 0, 0 };
AuthorizationRights kRights = { 1, &kActionRight };
// assert(gAuthorization != NULL);
// Request the application-specific right.
err = AuthorizationCopyRights(
gAuthorization, // authorization
&kRights, // rights
NULL, // environment
kFlags, // flags
NULL // authorizedRights
);
return err;
}
However, this needs to be linked against the security framework, and I donīt know how to explain this to the BlitzMax compiler. In Xcode, they just "add" the core frameworks and it compiles. How would you do that in Max? |
| ||
| I have no clue i'm sorry to say. I'm not even remotely interested in learning xcode at the moment, if I was, i'd be using that instead. I could really use this functionality though. |
| ||
| Same here - I'm working on some code that opens "privileged" ports, and on OS X, only a superuser can do that. Maybe I'll manage to dig something up on the weekend. |
| ||
| If you're looking for a solution for yourself log in as root, i'll exaplin that in a moment for anyone reading who doesnt know. Before I do I want to stress that this is NOT a workaround, it is unviable to get your customers to do this. To Enable Root: On OS X Server it is enabled by default, for home user versions of OS X you will need to turn it on first. Goto Applications/Utilities and open NetStat. Goto Security menu and authenticate. The return to security menu and enable root user. Now restart the computer and with the username "root", if you have a user selection menu you may need to select "other". The root user password is the same as the system administration password. You now have access everywhere. One note, the root user home folder is not inside /users/ like other users, it is actually inside /private/var/root but /private/ is a hidden directory. I make an alias of it by temporarily showing all files in the finder, and then dragging the alias to my /users/ folder. I really think system administration needs to be included into BMax, otherwise we cannot even write a proper software installer. This is quite serious. |
| ||
| Nope, I am looking for a way to implement the default authentication dialog that "lifts" the application to a more privileged level where it can perform administrator or other functions. If I understand the C samples above correctly, it is their purpose to do exactly that. I agree that logging in as root is not an option. As for the installers: Have you tried Iceberg? |
| ||
| >>As for the installers: Have you tried Iceberg? But I bought a fully featured programming language... |
| ||
| Yeh right, it states quite clearly on the box that blitzmax offers security and authorisation services on all platforms, we only added the game development libraries as an afterthought. Anyway that c snippet doesn't compile because the gauthorisation variable is not created, for that I would imagine you will need to establish exactly what you want to ACTUALLY do. I advise you read another 50 pages of apple documenation, then pick one of the constants at the bottom of this document: http://developer.apple.com/documentation/Security/Reference/authorization_ref/Reference/reference.html and then report back here. Or follow the very sensible advise of leveraging the abilities of your chosen installer to perform these root level operations, whatever the heck they may be - I do hope you're more exact with your customers about your intentions than you are here! |
| ||
| otherwise we cannot even write a proper software installer Or you can just use Apple's own installer which does all that "I need to be admin to install something somewhere" stuff for you. Anyway, enabling root access on OS X is seriously inadvisable. That's what sudo is for. And opening privileged ports will *still* require super-user access to do so - only you will need to prompt for that super-user password when the time comes. Sounds like someone needs to write a Mac Security module :-) |
| ||
| Yeh right, it states quite clearly on the box that blitzmax offers security and authorisation services on all platforms, we only added the game development libraries as an afterthought. When there's a box i'll take a look at it... FYI: BlitzMax has a GUI module. I do not see any game libraries at all, you could make breakout in it, but without a 3D engine I would hardly call it a game programming language, honestly. - I do hope you're more exact with your customers about your intentions than you are here! My intentions are: To fix the file permissions of files uploaded to a file server so that office based Mac users can edit each others work - according to the access permissions set on the server, and not the permissions set by each individual file. Like BatChmod, but to write it in such a way that it does not require any user intervention and can just sit on the server. |
| ||
| but without a 3D engine I would hardly call it a game programming language OK, obvious a generation gap or something, my bad. So why does the server app not have permissions to chmod the files? Are we talking about write permissions for all or what exactly? If the app has read acces of the file it can make a simple copy of the file with new version configured the way you want it without requiring extra authorization? Are you using SetFileMode, does it crash or do the permission just not change? Or are these permissions to do with apple style internal document settings/permssions on which the documentation at apple get's really really scary really really quick. |
| ||
| OK, obvious a generation gap or something, my bad. I released my first commercial game 19 years ago, i'm well aware that games can be 2D. I'm also well are that there are not any 2D games around anymore apart from the odd indi puzzle game. I'm using SetFileMode to change the others part of the POSIX permissions of *files* to read & write, of course the document is still safe because the share point has it's own permissions. This needs doing in many Mac firms a few dozen times a day, and is done by hand, so I made a tool to auto-repeat the process but of course it only works if logged in as root. I would like for this not to be the case. I dont mind if BlitzMax cannot do this, but I resent the "Blitz is for games" answer. It undermines the product and what it can do, there's been many great utilities written in Blitz already. If that's the label BR wants though, good luck! Itd have to be one hell of a 3D engine to prize me away from Blitz3D. |
| ||
| Ya know... if it's a cli app, you could always set it up as a cron-job for a super user, in which case it always starts with the require rights... |
| ||
| How do I do that please Brucey? I'm not knowledgeable enough :/ |
| ||
| Oops... sorry for missing this... Cron jobs... allow you to run a command at a given time or interval. To edit the cron table (crontab) for root user you would type something like: sudo crontab -u root -e ..enter password when prompted. You should now be presented with everyones favourite vi editor. (if you aren't vi-savvy, ask google for help) A crontab entry has six fields. The first 5 determine *when* your command is to run. The 6th, is the command. Example: 0 0 * * * /usr/bin/myarchivescript.sh ...which says, run "myarchivescript.sh" at midnight every day. The five fields are represented as follows: minute (0-59) hour (0-23) day of the month (1-31) month of the year (1-12) day of the week (0-6 with 0=Sunday) An asterisk (*) means - any, or all. For example, if you specify * for the first (minute) field in the above example, it will attempt to run the script once *every* minute while the hour is still 0. You can also have the following types of values for the number fields:
*/15 Is treated as ever 15 minutes, hours, days, or months.
Replacing the 15 with another numerical value will change this option.
2,4,6 Treated as an OR, so if placed in the hours, this could mean at 2, 4, or 6 o-clock.
9-17 Treats for any value between 9 and 17. So if placed in day of month this would be days 9 through 17.
Or if put in hours it would be between 9 and 5.
You can *look* at what cron-jobs are set up for root by issuing the following command: sudo crontab -u root -l And if you want to run a cron-job for your current user, you use commands such as: crontab -e crontab -l HTH :o) |
| ||
| The problem with doing it as a crontab is it would require an end user to edit the cron table, the whole point of owning a Mac is that you shouldn't have to learn Unix to use it - if it where, then computing just went back in time 2 decades :). Anyway i've learned a little of this BSD-Unix thingamy since this post was live, i'm still no expert, but importantly i've learned how to use sudo to open a BMax application with root privaleges which solves my problem. However, I am still left with the question of how to make this simpler for end users, I can make a 'loader' program which calls the sudo command... 'gui bit to get password, followed by... system_ "sudo myApp.app/Contents/MacOS/myApp <password>" However as we know the system_ command waits for the remote application to finish, thus the loader app would stay live. I tried the CreateProcess() command in the PUB.FreeProcess module, but other than returning a valid TProcess() type it doesnt actually do anything. ie:
Local proc:TProcess=TProcess.Create("sudo '/Applications/myApp.app/Contents/MacOS/myApp' <password>",0)
Delay 2000
If proc=Null
Print "LAUNCH FAILED"
Else
Print "DONE"
EndIf
It always returns DONE, but never actually launches the application. |
   |