Authorizing RB Apps with LaunchCFMApp 
Author Message
 Authorizing RB Apps with LaunchCFMApp

Hi.

As everyone knows, RB can't do some things without Authorization (like
getting a socket to listen on ports < 1024 for example).  I managed to
figure out a reasonable solution using the LaunchCFMApp command and
Christian's Authorization classes in the MBS plugin - only, my application
still has to ask the user for Authorization EVERY TIME they want to perform
a privileged task.

In an attempt to improve my workaround I tried a few things with
LaunchCFMApp.  I tried to get my app to re-launch itself using LaunchCFMApp
like before, only this time, I had set the setuid bit (chmod 4777) on the
LaunchCFMApp itself.  I thought, like in the nature of other things with the
setuid bit on, it would act as if you'd put sudo in front of it, which would
be ideal.  All I would have to do then is get the app to re-launch itself,
using LaunchCFMApp when the user clicks on it - no password needed!

To my amazement, after this, my app didn't need to do anything for it to
perform privileged things - it was authorized by default.  This must have
meant that the CFM system uses LaunchCFMApp as a wrapper every time it
launches an application.  It meant that I would only have to ask the user to
authorize once, at which time it would perform chmod on the user's copy of
LaunchCFMApp and from then on, it would behave exactly like a Mach-0 app.

You can try for yourself this by executing this in a Terminal:

cd /System/Library/Frameworks/Carbon.framework/Versions/A/Support
sudo chmod 4777 LaunchCFMApp

Type your password and try an RB app!  Remember to put everything back to
the way it was using "chmod 755 LaunchCFMApp" - it's a bit of a security
risk.

There was one fatal flaw though.  Every time my RB app handled a file it
would automatically be owned as root, which is a complete {*filter*} because the
Finder won't let you open any file that the app had touched without a
hassle.

So... My question is this:  how do you use LaunchCFMApp without making
everything owned by root?

Sorry for the longwinded explanation!

Cheers.

--
Charlie Boisseau



Tue, 01 Nov 2005 02:11:38 GMT  
 Authorizing RB Apps with LaunchCFMApp

Quote:

> Hi.

> As everyone knows, RB can't do some things without Authorization (like
> getting a socket to listen on ports < 1024 for example).  I managed to
> figure out a reasonable solution using the LaunchCFMApp command and
> Christian's Authorization classes in the MBS plugin - only, my application
> still has to ask the user for Authorization EVERY TIME they want to
> perform a privileged task.

Well, I learnt that there is way to store it.
(Buy using your own rights definition)

And of course your app should not run as Root. Don't do it, as there is
no reason.

if you need to do something as root, make a small C or perl application
and set it to run as root (setuid) on the first time you run your main
application.

And to get sockets below 1024, simply use the firewall to remap the
port. e.g. from 8000 down to 80.

Mfg
Christian

--
Four thousand functions in one REALbasic plug-in. The MBS Plugin.

<http://www.monkeybreadsoftware.de/realbasic/plugins.html>



Tue, 01 Nov 2005 04:47:41 GMT  
 Authorizing RB Apps with LaunchCFMApp

Quote:
>> As everyone knows, RB can't do some things without Authorization (like
>> getting a socket to listen on ports < 1024 for example).  I managed to
>> figure out a reasonable solution using the LaunchCFMApp command and
>> Christian's Authorization classes in the MBS plugin - only, my application
>> still has to ask the user for Authorization EVERY TIME they want to
>> perform a privileged task.

> Well, I learnt that there is way to store it.
> (Buy using your own rights definition)

Great!  Possible implementation in MBS?

Quote:
> And of course your app should not run as Root. Don't do it, as there is
> no reason.

I have 2 Ping tools in the program (the SuperSocket type).  I can put up
with one running in the textual-style from a shell running 'ping', but the
other tool has to be able to receive asynchronous pings, which the 'ping'
command can't do.  I might just download the ping.c source code and make it
return results better.

Quote:
> if you need to do something as root, make a small C or perl application
> and set it to run as root (setuid) on the first time you run your main
> application.

That's what it does. There are three different C programs running in the
background.  The Authorization classes help a lot with these btw - thanks!

Quote:
> And to get sockets below 1024, simply use the firewall to remap the
> port. e.g. from 8000 down to 80.

Do you have an example command for doing that?  I haven't really brought
myself up to speed on ipfw.

The whole process is a real hassle, I wish RS would just develop a Mach-0
compiler for RB.  According to what I've read about the new RB5 compiler, it
wouldn't be too hard.

--
Charlie Boisseau



Tue, 01 Nov 2005 18:36:44 GMT  
 
 [ 3 post ] 

 Relevant Pages 

1. launching an RB app from another RB app - appleevents

2. Localization (multi-language) apps with RB 3.5

3. Weird problem running two RB apps simultaneously in Win32

4. RB apps slow?

5. scripting windows app from rb

6. Slow running built RB apps on G3/400 system

7. Making your RB apps Scriptable

8. RB App Type 1.0

9. RB background app

10. RB App Typer 1.1

11. Start running an uncompiled AppleScript by RB app

12. Sending Emails from RB made apps?

 

 
Powered by phpBB® Forum Software