Re: Using the security framework

Mon, 19 Jan 2009 18:57:49 -0800 

On Jan 6, 2009, at 10:45 AM, Nick Zitzmann wrote:



On Jan 3, 2009, at 6:50 PM, Joe Turner wrote:


I am making a hard drive cloner/backuper, and to do some deleting  
and copying, I need to use the security framework. What I need to  
be able to do is have the user type in their password one time, and  
then it would give me system.privilege.admin rights until a time  
that they want to unauthorized it (could be days, weeks, months,  
years). I have looked through the security framework, but have not  
really found how to have one system.privilege.admin authorization,  
and have it last a long time. So, if anyone could point me in the  
right direction with this, like what methods to use, and what  
parameters to use.



If you pre-authorize an admin authorization, then it will last for  
300 seconds and then must be renewed. This is not something you can  
programmatically change; it's set in the computer's /etc/ 
authorization file.



That makes sense, but then how does an app like SuperDuper! do it. You  
click the lock, enter your password, and then you don't need to enter  
your password again until you lock it again. And, it is the regular  
security framework password window, so the developer must be doing  
some sort of authorization that lasts forever. And I checked, it does  
authorize system.privilege.admin.




I'm also wondering another thing. To delete the files, I need admin  
privileges, but, do I need to create a new target (e.g. a shell  
script) to do the copying and then run the command (blanking on the  
name) that runs the script at a given path with admin privileges.  
Or, could I somehow use NSFileManager in an authorized state.




You have to have something else do the work, since the security  
model of Mac OS X (and all Unix-like OSes) do not allow the  
escalation of privileges in an existing task.

Makes sense. So, if I create a separate target for the unix script, do  
I need to add something to it that takes the authorization? Or will  
anything it does that uses admin files be allowed?


Thanks a lot!

Joe



Nick Zitzmann
<http://www.chronosnet.com/>





_______________________________________________

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com






















					Reply via email to