Re: Encrypting Binary Strings
Simple answer: no. If your application can still read the strings, so can a clever person, if by nothing else than sitting and patiently emulating a CPU with a piece of paper and a pencil. In order to actually secure something *you, or your recipient* have to be involved in decrypting it, by knowing something secret (the key). Bob On Wed, Dec 30, 2009 at 5:17 PM, Mr. Gecko grmrge...@gmail.com wrote: Is it possible for me to encrypt the strings in my binary so hackers can't easily figure out what my application has in it? Reason I'm asking is I have some private keys that encodes data that I/parents don't want kids or teenagers to find. Thanks, Mr. Gecko___ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/cocoa-dev/tom.davie%40gmail.com This email sent to tom.da...@gmail.com ___ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
Re: Encrypting Binary Strings
Of course I know that, but I saw on the iPhone how the strings are encrypted and the only way for you to get the strings was if you used otool. Just that and I'll be satisfied. On Dec 30, 2009, at 11:32 AM, Tom Davie wrote: Simple answer: no. If your application can still read the strings, so can a clever person, if by nothing else than sitting and patiently emulating a CPU with a piece of paper and a pencil. In order to actually secure something *you, or your recipient* have to be involved in decrypting it, by knowing something secret (the key). Bob On Wed, Dec 30, 2009 at 5:17 PM, Mr. Gecko grmrge...@gmail.com wrote: Is it possible for me to encrypt the strings in my binary so hackers can't easily figure out what my application has in it? Reason I'm asking is I have some private keys that encodes data that I/parents don't want kids or teenagers to find. Thanks, Mr. Gecko___ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/cocoa-dev/tom.davie%40gmail.com This email sent to tom.da...@gmail.com smime.p7s Description: S/MIME cryptographic signature ___ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
Re: Encrypting Binary Strings
On Dec 30, 2009, at 9:17 AM, Mr. Gecko wrote: Is it possible for me to encrypt the strings in my binary so hackers can't easily figure out what my application has in it? Reason I'm asking is I have some private keys that encodes data that I/parents don't want kids or teenagers to find. Have you tried the OpenSSL crypto library? Maybe you could could encrypt your data, and then use an algorithm to put together the key at runtime. It isn't super secure, but he will prevent the data from sitting there on the disk in plaintext. Another thing to look at is DRM techniques. They need to solve a similar problem. Todd ___ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
Re: Encrypting Binary Strings
On 30 Dec 2009, at 17:17, Mr. Gecko wrote: Is it possible for me to encrypt the strings in my binary so hackers can't easily figure out what my application has in it? Reason I'm asking is I have some private keys that encodes data that I/parents don't want kids or teenagers to find. I'm sure it is possible to obfuscate the strings, but security by obscurity never works, and if you are distributing a private key inside your app for encryption, you are doing it wrong IMHO. -- Gleb Dolgich http://pixelespressoapps.com ___ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
Re: Encrypting Binary Strings
Ok, I'll look up the different encodings I could do with openssl, Thanks for the suggestion. This is basically for Parental Controls, I know I could ask for a password at first, but then any kid could grab a copy and set their own password. What I'm doing is I'm asking for them to authenticate with Mac OS X, and then once they are authenticated, I'm allowing them to set settings that are encrypted with a key in AES. On Dec 30, 2009, at 11:49 AM, Todd Heberlein wrote: On Dec 30, 2009, at 9:17 AM, Mr. Gecko wrote: Is it possible for me to encrypt the strings in my binary so hackers can't easily figure out what my application has in it? Reason I'm asking is I have some private keys that encodes data that I/parents don't want kids or teenagers to find. Have you tried the OpenSSL crypto library? Maybe you could could encrypt your data, and then use an algorithm to put together the key at runtime. It isn't super secure, but he will prevent the data from sitting there on the disk in plaintext. Another thing to look at is DRM techniques. They need to solve a similar problem. Todd smime.p7s Description: S/MIME cryptographic signature ___ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
Re: Encrypting Binary Strings
On 30 Dec 2009, at 17:59, Mr. Gecko wrote: This is basically for Parental Controls, I know I could ask for a password at first, but then any kid could grab a copy and set their own password. What I'm doing is I'm asking for them to authenticate with Mac OS X, and then once they are authenticated, I'm allowing them to set settings that are encrypted with a key in AES. Perhaps a better way would be to ask for a password once the user is authenticated, and then generate an AES key using that password, instead of storing encryption key inside your program. With you current scheme, if anyone breaks your 'common' key, everyone will be able to circumvent your parental protection. -- Gleb Dolgich http://pixelespressoapps.com___ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
Re: Encrypting Binary Strings
But then how would I get the data? If the key has to do with the password, then how can I get the parental settings and respond to them. On Dec 30, 2009, at 12:51 PM, Gleb Dolgich wrote: Perhaps a better way would be to ask for a password once the user is authenticated, and then generate an AES key using that password, instead of storing encryption key inside your program. With you current scheme, if anyone breaks your 'common' key, everyone will be able to circumvent your parental protection. -- Gleb Dolgich http://pixelespressoapps.com smime.p7s Description: S/MIME cryptographic signature ___ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
Re: Encrypting Binary Strings
You could store the generated key in a keychain. This way you wouldn't have to ask for the password to access the encryption key. -- Gleb Dolgich http://pixelespressoapps.com On 30 Dec 2009, at 18:58, Mr. Gecko wrote: But then how would I get the data? If the key has to do with the password, then how can I get the parental settings and respond to them. On Dec 30, 2009, at 12:51 PM, Gleb Dolgich wrote: Perhaps a better way would be to ask for a password once the user is authenticated, and then generate an AES key using that password, instead of storing encryption key inside your program. With you current scheme, if anyone breaks your 'common' key, everyone will be able to circumvent your parental protection. ___ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
Re: Encrypting Binary Strings
But then the child/teenager, if they know about keychain they could check it and find the key. Unless there is a way to prevent them from seeing it. Speaking of keychain, can you recommend me a good public domain keychain framework? I currently wrote my own and on some computers, the keychain didn't work, the only thing they all had in common was 1password. On Dec 30, 2009, at 1:19 PM, Gleb Dolgich wrote: You could store the generated key in a keychain. This way you wouldn't have to ask for the password to access the encryption key. -- Gleb Dolgich http://pixelespressoapps.com On 30 Dec 2009, at 18:58, Mr. Gecko wrote: But then how would I get the data? If the key has to do with the password, then how can I get the parental settings and respond to them. On Dec 30, 2009, at 12:51 PM, Gleb Dolgich wrote: Perhaps a better way would be to ask for a password once the user is authenticated, and then generate an AES key using that password, instead of storing encryption key inside your program. With you current scheme, if anyone breaks your 'common' key, everyone will be able to circumvent your parental protection. smime.p7s Description: S/MIME cryptographic signature ___ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
Re: Encrypting Binary Strings
A teenager could also crack your app and use the key he found to gain access. If you want to prevent that, I guess you need to rethink the way you store access credentials. I wonder how [Snow] Leopard Parental Controls do that. You should also use Mac OS Keychain API and not reinvent the wheel if at all possible. I'm not an expert on Keychain, so I can't point you to the right API calls, sorry. -- Gleb Dolgich http://pixelespressoapps.com On 30 Dec 2009, at 19:23, Mr. Gecko wrote: But then the child/teenager, if they know about keychain they could check it and find the key. Unless there is a way to prevent them from seeing it. Speaking of keychain, can you recommend me a good public domain keychain framework? I currently wrote my own and on some computers, the keychain didn't work, the only thing they all had in common was 1password. On Dec 30, 2009, at 1:19 PM, Gleb Dolgich wrote: You could store the generated key in a keychain. This way you wouldn't have to ask for the password to access the encryption key. On 30 Dec 2009, at 18:58, Mr. Gecko wrote: But then how would I get the data? If the key has to do with the password, then how can I get the parental settings and respond to them. On Dec 30, 2009, at 12:51 PM, Gleb Dolgich wrote: Perhaps a better way would be to ask for a password once the user is authenticated, and then generate an AES key using that password, instead of storing encryption key inside your program. With you current scheme, if anyone breaks your 'common' key, everyone will be able to circumvent your parental protection. ___ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
Re: Encrypting Binary Strings
On Dec 30, 2009, at 11:59 AM, Mr. Gecko wrote: This is basically for Parental Controls, I know I could ask for a password at first, but then any kid could grab a copy and set their own password. What I'm doing is I'm asking for them to authenticate with Mac OS X, and then once they are authenticated, I'm allowing them to set settings that are encrypted with a key in AES. You might consider using Authorization Services for this, instead of rolling your own. See: http://developer.apple.com/mac/library/technotes/tn2002/tn2095.html It uses a parental-control mechanism as an example of one of the things that Authorization Services can be used for. Cheers, Ken ___ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
Re: Encrypting Binary Strings
It's ether that you don't understand what I'm doing, or I don't understand that. Here is the full story. I am using Apple's SFAuthorizationView to find out if the user is an administrator. If they are an admin, I allow them to modify the settings, when they save I am saving the settings in AES with 2 keys, 1 randomly generated and saved in AES encrypted by the first key and the other in the binary. Although nobody has cracked it yet, I can't have the first key in the open. Things I can't do. I can't ask for a password to use to encrypt, as I won't be able to find out what the settings are. I can't store it in the keychain as a password as if I do it'll be open if the kid/teenager knows the password to the user he/her is in. Things I can do. I can store it in the keychain as a key if someone could send me a link to an example on how to do that. I can encode the key in a way that only if you have the source code, you can find out, like make my own md5 algorithm and only if you know that algorithm, you can get the actual key. But to do that, I'll need to find a algorithm in cocoa that is public domain so I can modify it. Hope this clears things up, Mr. Gecko On Dec 30, 2009, at 3:33 PM, Ken Thomases wrote: On Dec 30, 2009, at 11:59 AM, Mr. Gecko wrote: This is basically for Parental Controls, I know I could ask for a password at first, but then any kid could grab a copy and set their own password. What I'm doing is I'm asking for them to authenticate with Mac OS X, and then once they are authenticated, I'm allowing them to set settings that are encrypted with a key in AES. You might consider using Authorization Services for this, instead of rolling your own. See: http://developer.apple.com/mac/library/technotes/tn2002/tn2095.html It uses a parental-control mechanism as an example of one of the things that Authorization Services can be used for. Cheers, Ken smime.p7s Description: S/MIME cryptographic signature ___ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
Re: Encrypting Binary Strings
Just as a word of advise. This is a public list that's indexed by search engines. So don't reveal anything here that you'd want to keep private. I'm not advising security through obscurity. If you use keychains or similar systems, knowing how it works won't help cracking anyway. But just in case, don't talk about the name of your app maybe :) Le 30 déc. 2009 à 22:33, Ken Thomases k...@codeweavers.com a écrit : On Dec 30, 2009, at 11:59 AM, Mr. Gecko wrote: This is basically for Parental Controls, I know I could ask for a password at first, but then any kid could grab a copy and set their own password. What I'm doing is I'm asking for them to authenticate with Mac OS X, and then once they are authenticated, I'm allowing them to set settings that are encrypted with a key in AES. You might consider using Authorization Services for this, instead of rolling your own. See: http://developer.apple.com/mac/library/technotes/tn2002/tn2095.html It uses a parental-control mechanism as an example of one of the things that Authorization Services can be used for. Cheers, Ken ___ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/cocoa-dev/cepakare%40gmail.com This email sent to cepak...@gmail.com ___ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
Re: Encrypting Binary Strings
On Dec 30, 2009, at 3:56 PM, Mr. Gecko wrote: It's ether that you don't understand what I'm doing, or I don't understand that. Here is the full story. I am using Apple's SFAuthorizationView to find out if the user is an administrator. If they are an admin, I allow them to modify the settings, when they save I am saving the settings in AES with 2 keys, 1 randomly generated and saved in AES encrypted by the first key and the other in the binary. Although nobody has cracked it yet, I can't have the first key in the open. The question is: is the AES encryption stuff central to what you're trying to achieve, or is it just your way of enforcing the parental controls? If it's the latter, then you may be able to ditch the encryption scheme entirely and use Authorization Services to replace it as the means for implementing parental controls. Authorization Services is not _just_ about proving that a user is an administrator or acquiring system privileges. You can also use it to make a self-restricted app, like one which implements parental control. Regards, Ken ___ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
Re: Encrypting Binary Strings
So are you saying I could use authorization service to store things with the user's authorization and get them back without the user's authentication? If so, is there an example app I can look into and figure it out? Basically my means of AES is to prevent the user from changing the settings without the application and being an administrator. On Dec 30, 2009, at 5:06 PM, Ken Thomases wrote: On Dec 30, 2009, at 3:56 PM, Mr. Gecko wrote: It's ether that you don't understand what I'm doing, or I don't understand that. Here is the full story. I am using Apple's SFAuthorizationView to find out if the user is an administrator. If they are an admin, I allow them to modify the settings, when they save I am saving the settings in AES with 2 keys, 1 randomly generated and saved in AES encrypted by the first key and the other in the binary. Although nobody has cracked it yet, I can't have the first key in the open. The question is: is the AES encryption stuff central to what you're trying to achieve, or is it just your way of enforcing the parental controls? If it's the latter, then you may be able to ditch the encryption scheme entirely and use Authorization Services to replace it as the means for implementing parental controls. Authorization Services is not _just_ about proving that a user is an administrator or acquiring system privileges. You can also use it to make a self-restricted app, like one which implements parental control. Regards, Ken smime.p7s Description: S/MIME cryptographic signature ___ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
Re: Encrypting Binary Strings
On Dec 30, 2009, at 5:15 PM, Mr. Gecko wrote: On Dec 30, 2009, at 5:06 PM, Ken Thomases wrote: On Dec 30, 2009, at 3:56 PM, Mr. Gecko wrote: I am using Apple's SFAuthorizationView to find out if the user is an administrator. If they are an admin, I allow them to modify the settings, when they save I am saving the settings in AES with 2 keys, 1 randomly generated and saved in AES encrypted by the first key and the other in the binary. Although nobody has cracked it yet, I can't have the first key in the open. The question is: is the AES encryption stuff central to what you're trying to achieve, or is it just your way of enforcing the parental controls? If it's the latter, then you may be able to ditch the encryption scheme entirely and use Authorization Services to replace it as the means for implementing parental controls. Authorization Services is not _just_ about proving that a user is an administrator or acquiring system privileges. You can also use it to make a self-restricted app, like one which implements parental control. So are you saying I could use authorization service to store things with the user's authorization and get them back without the user's authentication? You can store a very limited, specific kind of thing: right entries in the authorization policy database. You can then use those to govern the behavior of your program for other (non-admin) users. Basically my means of AES is to prevent the user from changing the settings without the application and being an administrator. Again, it's not clear to me if the settings in question are _just_ the parentally-controlled policies of who can do what within your software or if it's something else. If you're just looking for a means to let a parent configure access settings that control what kids can do with your software, then Authorization Services can work for that. Another interpretation of what you just said is that you just want to store some data when the parent is running your app but, when a kid is running it, to have them be able to read but not modify that data. If that's all you want, then you can use administrator privileges to write a file that has everyone-read, only-admin-write permissions. I don't see why you'd need encryption for that. Frankly, the authopen tool should suffice. If so, is there an example app I can look into and figure it out? http://developer.apple.com/Mac/library/samplecode/AuthForAll/index.html Regards, Ken ___ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
Re: Encrypting Binary Strings
On Dec 30, 2009, at 5:33 PM, Ken Thomases wrote: On Dec 30, 2009, at 5:15 PM, Mr. Gecko wrote: So are you saying I could use authorization service to store things with the user's authorization and get them back without the user's authentication? You can store a very limited, specific kind of thing: right entries in the authorization policy database. You can then use those to govern the behavior of your program for other (non-admin) users. Basically the only thing I need to store is strings for like if safe search is enabled, or if the user can view things that has adult content. Basically my means of AES is to prevent the user from changing the settings without the application and being an administrator. Again, it's not clear to me if the settings in question are _just_ the parentally-controlled policies of who can do what within your software or if it's something else. If you're just looking for a means to let a parent configure access settings that control what kids can do with your software, then Authorization Services can work for that. Another interpretation of what you just said is that you just want to store some data when the parent is running your app but, when a kid is running it, to have them be able to read but not modify that data. If that's all you want, then you can use administrator privileges to write a file that has everyone-read, only-admin-write permissions. I don't see why you'd need encryption for that. Frankly, the authopen tool should suffice. Hmm, now that's an idea, basically I don't want the user to change it without admin permissions so if I save it as root and give access to everyone else, it will solve my problem. Thank you, but the question on how the iPhone encrypts the strings, is still in mind, if anyone has an answer, I'll be happy to know. If so, is there an example app I can look into and figure it out? http://developer.apple.com/Mac/library/samplecode/AuthForAll/index.html Regards, Ken smime.p7s Description: S/MIME cryptographic signature ___ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
Re: Encrypting Binary Strings
On Dec 30, 2009, at 5:42 PM, Mr. Gecko wrote: On Dec 30, 2009, at 5:33 PM, Ken Thomases wrote: On Dec 30, 2009, at 5:15 PM, Mr. Gecko wrote: So are you saying I could use authorization service to store things with the user's authorization and get them back without the user's authentication? You can store a very limited, specific kind of thing: right entries in the authorization policy database. You can then use those to govern the behavior of your program for other (non-admin) users. Basically the only thing I need to store is strings for like if safe search is enabled, or if the user can view things that has adult content. This sounds like exactly what Authorization Services is for. You should really read the tech note and the sample code, but here's my explanation: You identify the areas of your app where you need to decide is this allowed or not? For each independent allowable action (or set of actions), you pick a name, using reverse-DNS-style names to keep yours unique. These names are for rights. Some predefined rights you may already be familiar with because they represent system privileges. However, you may create any new rights you like just by inventing a name for them. In your app's code, at each place where the app has to either allow or disallow an action, you attempt to obtain the right using your made-up name. If it succeeds in obtaining the right, your app should allow the action; otherwise, disallow it. By default, since the system doesn't know about your rights, obtaining them will require administrator privileges. So, where's the part where a parent gets to enable actions for kids who don't have administrator privileges? Your app does that by adding new entries in the system's policy database for your made-up rights. To add those entries requires administrator privileges, which is why only a parent (or admin) can do it. But the parent can add a policy giving all users from a particular group the ability to obtain any of the rights you've made up. (The parent doesn't have to know anything about the policy database or rights or whatever. Your app does that, but uses the parent's administrator authorization to do so.) Regards, Ken ___ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com