Xojo Conferences
XDCMay2019MiamiUSA

[MBS] Another AuthorizationMBS Question (MBS Xojo Plugin Mailinglist archive)

Back to the thread list
Previous thread: [MBS] Quicktime control panel
Next thread: [MBS] More window transparency


Re: [MBS] MIDI Destinations and External Devices   -   Ron Benditt
  [MBS] Another AuthorizationMBS Question   -   Peter Truskier
   Re: [MBS] Another AuthorizationMBS Question   -   Christian Schmitz
    Re: [MBS] Another AuthorizationMBS Question   -   Peter Truskier
     Re: [MBS] Another AuthorizationMBS Question   -   Christian Schmitz
   Re: [MBS] Another AuthorizationMBS Question   -   Tim Jones
   Re: [MBS] Another AuthorizationMBS Question   -   Peter Truskier

[MBS] Another AuthorizationMBS Question
Date: 16.02.06 20:10 (Thu, 16 Feb 2006 11:10:53 -0800)
From: Peter Truskier
I am trying to allow a user to execute a launchctl job (Mac OS X
10.4.5). The following works just fine when execute in Terminal
(after I enter the admin password, of course):

> sudo launchctl start com.foo.bar
>

but, I cannot seem to get it to work with this RB code:

> dim Auth AS New AuthorizationMBS
> dim params(1) as string
>
> if Auth.SimpleNewAuthorization then
> params(0) = "start"
> params(1) = "com.foo.bar"
> Auth.Execute("/bin/launchctl",params)
> if Auth.LastError<>0 then
> MsgBox "Lasterror on Execute: "+str(Auth.LastError)
> end if
> end if
>

the LastError is always 0, but the process does not start. In
Activity Viewer, I do see an instance of launchd run for a few
minutes under my (non-root) account, and it then disappears.

What am I missing?

--Peter
_______________________________________________
Mbsplugins_monkeybreadsoftware.info mailing list
<email address removed>
http://ml01.ispgateway.de/mailman/listinfo/mbsplugins_monkeybreadsoftware.info

Re: [MBS] Another AuthorizationMBS Question
Date: 16.02.06 22:16 (Thu, 16 Feb 2006 22:16:19 +0100)
From: Christian Schmitz
Peter Truskier <<email address removed>> wrote:

> I am trying to allow a user to execute a launchctl job (Mac OS X
> 10.4.5). The following works just fine when execute in Terminal
> (after I enter the admin password, of course):

I think you should do the shell script way as in the examples.

Mfg
Christian

Re: [MBS] Another AuthorizationMBS Question
Date: 17.02.06 04:51 (Thu, 16 Feb 2006 19:51:48 -0800)
From: Peter Truskier
On Feb 16, 2006, at 1:16 PM, Christian Schmitz wrote:

> Peter Truskier <<email address removed>> wrote:
>
>> I am trying to allow a user to execute a launchctl job (Mac OS X
>> 10.4.5). The following works just fine when execute in Terminal
>> (after I enter the admin password, of course):
>
> I think you should do the shell script way as in the examples.
>
> Mfg
> Christian

Well, I still can't get it to work. If I create a shell script with a
"whoami" command, it DOES report that it's running as root, and yet
when I run launchctl from the shell script, an instance of launchd
appears in the process list being run by MY account, which won't
work; only root will do.

Is this something special about launchctl/launchd?

Thanks,

Peter
_______________________________________________
Mbsplugins_monkeybreadsoftware.info mailing list
<email address removed>
http://ml01.ispgateway.de/mailman/listinfo/mbsplugins_monkeybreadsoftware.info

Re: [MBS] Another AuthorizationMBS Question
Date: 17.02.06 13:31 (Fri, 17 Feb 2006 13:31:01 +0100)
From: Christian Schmitz
Peter Truskier <<email address removed>> wrote:

> Is this something special about launchctl/launchd?

You may go and ask Apple about this.

Mfg
Christian

Re: [MBS] Another AuthorizationMBS Question
Date: 20.02.06 08:31 (Mon, 20 Feb 2006 00:31:24 -0700)
From: Tim Jones
Hi Peter,

To jump in here, I suspect your issue is caused by the command
started by the call to Auth.Execute is only running with the
effective uid set to root rather than the real uid (as witnessed by
your recognized short-lived instance of launchd. This is what I
uncovered in my experimentation. I suspect that if we had a better
understanding of how the elements of the AuthorizationItemMBS members
were supposed to be used, we could probably create an authorization
instance that allowed us to properly execute the task with the real
root user ID.

The only way that I've found to guarantee that you can run the tool
as a true root process is to generate a mock-up of the authorization
dialog, save the user's password and then use sudo in a shell:

myShell.Execute "echo " + mypassword + " | sudo -S " + command

This does give the result we're looking for, but the password can be
seen in a 'ps' output. The way around that has been to make the run
2 execute commands like this:

myShell.Execute "echo " + mypassword + " | sudo -S ls -l /etc/hosts"
myShell.Execute "sudo " + command

The first sudo of the ls -l happens so quickly that it would be very
tough to catch. The second command can then run without prompting
for a password. It's then a good idea to follow the exit of the
second command with a call to "sudo -k" to clear the sudo state.

Of course, the limitation to this is that the user running the tool
must have admin privileges enabled by default as you can't sudo as
someone else from a current account to root.

Hopefully, Christian or someone will respond to my request for more
info and an example that could help us get beyond this limitation of
the current Simple auth examples.

Tim

On Feb 16, 2006, at 12:10 PM, Peter Truskier wrote:

> I am trying to allow a user to execute a launchctl job (Mac OS X
> 10.4.5). The following works just fine when execute in Terminal
> (after I enter the admin password, of course):
>
>> sudo launchctl start com.foo.bar
>>
> but, I cannot seem to get it to work with this RB code:
>
>> dim Auth AS New AuthorizationMBS
>> dim params(1) as string
>>
>> if Auth.SimpleNewAuthorization then
>> params(0) = "start"
>> params(1) = "com.foo.bar"
>> Auth.Execute("/bin/launchctl",params)
>> if Auth.LastError<>0 then
>> MsgBox "Lasterror on Execute: "+str(Auth.LastError)
>> end if
>> end if
>>
> the LastError is always 0, but the process does not start. In
> Activity Viewer, I do see an instance of launchd run for a few
> minutes under my (non-root) account, and it then disappears.
>
> What am I missing?
>
> --Peter
> _______________________________________________
> Mbsplugins_monkeybreadsoftware.info mailing list
> <email address removed>
> http://ml01.ispgateway.de/mailman/listinfo/
> mbsplugins_monkeybreadsoftware.info

_______________________________________________
Mbsplugins_monkeybreadsoftware.info mailing list
<email address removed>
http://ml01.ispgateway.de/mailman/listinfo/mbsplugins_monkeybreadsoftware.info

Re: [MBS] Another AuthorizationMBS Question
Date: 20.02.06 16:43 (Mon, 20 Feb 2006 07:43:00 -0800)
From: Peter Truskier
Tim,

Thanks for your note.

I guess you've hit the nail on the head. Like you, I also tried to
get the "non-simple" authorization to work, but couldn't.

I have created a "fake" authorization dialog, and have that working.
I use an interactive shell, so as far as I can tell, the password is
not exposed anywhere like the process list. This is working well so
far, and I have a lot of other work to do on this project, so I'm
going to leave it at that for the moment. If you discover anything
further, I'd love to hear about it, and I will do the same.

Thanks again,

Peter

On Feb 19, 2006, at 11:31 PM, Tim Jones wrote:

> Hi Peter,
>
> To jump in here, I suspect your issue is caused by the command
> started by the call to Auth.Execute is only running with the
> effective uid set to root rather than the real uid (as witnessed by
> your recognized short-lived instance of launchd. This is what I
> uncovered in my experimentation. I suspect that if we had a better
> understanding of how the elements of the AuthorizationItemMBS members
> were supposed to be used, we could probably create an authorization
> instance that allowed us to properly execute the task with the real
> root user ID.
>
> The only way that I've found to guarantee that you can run the tool
> as a true root process is to generate a mock-up of the authorization
> dialog, save the user's password and then use sudo in a shell:
>
> myShell.Execute "echo " + mypassword + " | sudo -S " + command
>
> This does give the result we're looking for, but the password can be
> seen in a 'ps' output. The way around that has been to make the run
> 2 execute commands like this:
>
> myShell.Execute "echo " + mypassword + " | sudo -S ls -l /etc/hosts"
> myShell.Execute "sudo " + command
>
> The first sudo of the ls -l happens so quickly that it would be very
> tough to catch. The second command can then run without prompting
> for a password. It's then a good idea to follow the exit of the
> second command with a call to "sudo -k" to clear the sudo state.
>
> Of course, the limitation to this is that the user running the tool
> must have admin privileges enabled by default as you can't sudo as
> someone else from a current account to root.
>
> Hopefully, Christian or someone will respond to my request for more
> info and an example that could help us get beyond this limitation of
> the current Simple auth examples.
>
> Tim
>
> On Feb 16, 2006, at 12:10 PM, Peter Truskier wrote:
>
>> I am trying to allow a user to execute a launchctl job (Mac OS X
>> 10.4.5). The following works just fine when execute in Terminal
>> (after I enter the admin password, of course):
>>
>>> sudo launchctl start com.foo.bar
>>>
>> but, I cannot seem to get it to work with this RB code:
>>
>>> dim Auth AS New AuthorizationMBS
>>> dim params(1) as string
>>>
>>> if Auth.SimpleNewAuthorization then
>>> params(0) = "start"
>>> params(1) = "com.foo.bar"
>>> Auth.Execute("/bin/launchctl",params)
>>> if Auth.LastError<>0 then
>>> MsgBox "Lasterror on Execute: "+str(Auth.LastError)
>>> end if
>>> end if
>>>
>> the LastError is always 0, but the process does not start. In
>> Activity Viewer, I do see an instance of launchd run for a few
>> minutes under my (non-root) account, and it then disappears.
>>
>> What am I missing?
>>
>> --Peter

_______________________________________________
Mbsplugins_monkeybreadsoftware.info mailing list
<email address removed>
http://ml01.ispgateway.de/mailman/listinfo/mbsplugins_monkeybreadsoftware.info