Re: Using the security framework

Wed, 07 Jan 2009 02:29:03 -0800 

At 18:50 -0600 3/1/09, Joe Turner wrote:
I am making a hard drive cloner/backuper, and to do some deleting and copying, I need to use the security framework. What I need to be able to do is have the user type in their password one time, and then it would give me system.privilege.admin rights until a time that they want to unauthorized it (could be days, weeks, months, years). I have looked through the security framework, but have not really found how to have one system.privilege.admin authorization, and have it last a long time. So, if anyone could point me in the right direction with this, like what methods to use, and what parameters to use. 


One way to do this is to have a second tool that runs as root.  You 
need to ask for admin permissions the first time to enable suid mode 
on the tool, but after that the tool will run as root with full 
privileges.



Naturally, this has all the inherent security implications of that of 
any suid root tool, and the tool must now defend against possible 
misuse.  Some security suggestions include:



* Code sign both your application and your tool and verify both 
signatures before applying the suid bit.


* Strictly limit the actions of the tool.


* Ensure requests to the tool are processed only if they come from 
your properly signed application.



* Strictly minimize the tools code to minimize the chance of security 
related bugs.



* Limit the use of external frameworks in the tool to minimize the 
chance of security issues.


Enjoy,
   Peter.

--
              Keyboard Maestro 3 Now Available!
   Now run macros from your iPhone with Keyboard Maestro Control!

Keyboard Maestro <http://www.keyboardmaestro.com/> Macros for your Mac
<http://www.stairways.com/>           <http://download.stairways.com/>
_______________________________________________

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com























					Reply via email to