Xcode7-Swift-run sudo command with higher privileges

Question

Created Aug ’15

Replies 7

Boosts 0

Views 6.6k

Participants 4

I have compose and application which repairs disks via "fsck_hfs". I would like to make it available for others, but because of the sudo command, it is reporting an error when I try to run it on another account. I need to implement something (like askpass?) to have higher privileges (only for the sudo command)

Here is the code :

let trait2 = "/dev/disk2s2" / 
let sudo : NSTask = NSTask() 
sudo.launchPath = "/usr/bin/sudo" 
sudo.arguments = [ "fsck_hfs","-dfr",trait2 ] 
sudo.launch() 
sudo.waitUntilExit()

I have setup sudoers on my account so it work but if I try with another user, I get the following error message :

Unable to open block device /dev/disk2s2: Permission denied

What should I do to make this app available to others without them needing to do anything else then typing their password?

Thanks

Boost

Answer 1

ahltorp OP

Aug ’15

You should probably look at the Authorization Services API:

https://developer.apple.com/library/mac/documentation/Security/Conceptual/authorization_concepts/01introduction/introduction.html

That API allows you to run a command as root, and displays a dialog box where the user inputs their password for authorization. There is sample code at that web page, but only for C.

0

Answer 2

DTS Engineer OP

Apple

Aug ’15

What should I do to make this app available to others without them needing to do anything else then typing their password?

On OS X

sudo

is really designed for admin folks working at the command line; it’s not appropriate for writing apps.

ahltorp’s suggestion of Authorization Services was a good one, but I’d extend that with a pointer to the EvenBetterAuthorizationSample (EBAS) sample code.

I specifically recommend that you avoid

AuthorizationExecuteWithPrivileges

. It’s been deprecated for a while now and with good reason: the underlying privileges extension mechanism shown by EBAS,

SMJobBless

, ensures that the user grants the privileges that you request to your code, as opposed to some random, potentially malicious code.

Finally, I moved your question to Core OS > Processes because this stuff is not Swift specific.

Share and Enjoy
—
Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 3

Fredo OP

Aug ’15

Thanks to both of you for putting me in the right direction.

Sadly, my knowledge of the C langage is not deep enough to translate the code in swift.

Is there a way to inplement the EvenBetterAuthorizationSample inside an application written in Swift? Is it possible to mix the code between C and Swift?

0

Answer 4

DTS Engineer OP

Apple

Aug ’15

Is there a way to inplement the EvenBetterAuthorizationSample inside an application written in Swift?

The only gotcha that I can think of relates to Swift’s runtime libraries. As I’m sure you’re aware, Swift apps include a a hefty set of runtime libraries. Normally that’s not a problem because Xcode configures every Swift image in the app to point to the same libraries. However, the technique shown by EBAS causes part of your app (the helper tool) to get copied from within your app to

/Library/PrivilegedHelperTools

. That will break the tool’s linkage to the Swift runtime.

I’m not sure if there’s a good way around this.

Is it possible to mix the code between C and Swift?

Yes.

Share and Enjoy
—
Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 5

pgw3 OP

Aug ’15

I believe that Xcode is smart enough to embed the runtime libraries into both the main app bundle and directly into the tool's binary when you add a Command Line Tool target to your project.

At least that is what happened to me. I have an app that runs a few things as root with both the main app and the privileged tool completely written in Swift. The privileged part is based on EvenBetterAuthorizationSample and the tool runs without a problem from within /Library/PrivilegedHelperTools after it has been copied there.

One possible downside with using Swift for the privileged tool is that the binary gets quite a bit larger after embedding the libraries (even a basically empty main file generates a binary that is a few MBs large) but that shouldn't really be a major problem nowadays on the OS X side.

/Peter

0

Answer 6

Fredo OP

Aug ’15

Hello pgw3,

What you said is very interresting indeed. Not only because you know how to implement EvenBetterAuthorizationSample but also because you have tested it.

Could you provide more detail on how to implement EvenBetterAuthorizationSample into my application?

I have downloaded the zip file and decompressed it, when I load the project in Xcode7, I get an error message saying :

"Check dependencies

----------------------------

Code Sign error: No code signing identities found: No valid signing identities (i.e. certificate and private key pair) were found."

Does not seems to bad but I don't know what to do next. Should I copy everything into my project? In which folder(s)? What is the code to be entered, and where?

You maybe have a project-exemple that could help me? My app is a Cocoa Application, is not in a storyboard and does not use core data.

I am sorry about all these questions, but I would really enjoy to go further into swift programming and this problem is putting me in a dead-end.

Cheers!

0

Answer 7

pgw3 OP

Aug ’15

It sounds from the error that you have not yet set up your Developer ID properly.

EvenBetterAuthorizationSample is very well documented and if you check the Read Me file under "Building the Sample" it should guide you how to do it.

I would also suggest that you read up on code signing, starting e.g. here: https://developer.apple.com/support/code-signing Understanding code signing is, in my opinion, an important part of being a OS X (and iOS) developer these days and since you are writing an app with possible security implications, I would say that for you it is essential that you understand code signing.

/Peter

0