Running a root process.

Sherm Pendley <spamtrap.RemoveThis@dot-app.org> wrote:
# SM Ryan <wyrmwif.RemoveThis@tango-sierra-oscar-foxtrot-tango.fake.org> writes:
#
# > but after repeated attempts to get through Apple's documentation
# > I don't know if the function exists or is possible.
#
# How many attempts does it take to enter "authorization" in the search box
# at <http://developer.apple.com>, and follow the first link listed?

Already did. It leads to morass of pages that do not obviously
answer the question, 'can I create a uid root process without
a setuid root executable?' Possibly someone already does know if this
is possible and could possibly point me directly to where to look
instead of throwing IM:7 at me at declaring the answer is in there.
Somewhere.

You obviously don't know the answer, which makes me wonder
why you're wasting your own time trying to be smart aleck but only
showing your own ignorance.

--
SM Ryan http://www.rawbw.com/~wyrmwif/
Death is the worry of the living. The dead, like myself,
only worry about decay and necrophiliacs.

SM Ryan <wyrmwif.TakeThisOut@tango-sierra-oscar-foxtrot-tango.fake.org> wrote:
> You obviously don't know the answer, which makes me wonder
> why you're wasting your own time trying to be smart aleck but only
> showing your own ignorance.

Well, I was going to post a link to sample code until I saw this bit.
Instead, *plonk*.

--
Michael Ash
Rogue Amoeba Software

SM Ryan <wyrmwif DeleteThis @tango-sierra-oscar-foxtrot-tango.fake.org> writes:

> Sherm Pendley <spamtrap DeleteThis @dot-app.org> wrote:
> # SM Ryan <wyrmwif DeleteThis @tango-sierra-oscar-foxtrot-tango.fake.org> writes:
> #
> # > but after repeated attempts to get through Apple's documentation
> # > I don't know if the function exists or is possible.
> #
> # How many attempts does it take to enter "authorization" in the search box
> # at <http://developer.apple.com>, and follow the first link listed?
>
> Already did. It leads to morass of pages that do not obviously
> answer the question, 'can I create a uid root process without
> a setuid root executable?'

You've got to be kidding me. The first link leads to an article titled
"Introduction to Performing Privileged Operations With Authorization
Services". Chapter 3 has step by step instructions - if you want to do
this, read that, etc.

How much more obvious do you want it? Did you expect flashing neon GIFs
with blinking arrows saying "SM Ryan, look here"?

> Possibly someone already does know if this
> is possible and could possibly point me directly to where to look

I do, and I did.

> You obviously don't know the answer

I must have missed the "reverse psychology" lecture in Trolling 101 - is
this the part where I'm supposed to write your code for you just to prove
to that I can?

> which makes me wonder
> why you're wasting your own time trying to be smart aleck

I wasn't trying to be a smart aleck, I was trying to point you to the docs
that will answer your question, and encourage you to look there first in the
future. Better for you, better for the group. Teaching you to fish instead
of giving you a fish, and all that.

But you're right about one thing - trying to help someone who doesn't want
to be helped is certainly a waste of time.

*plonk*

sherm--

--
Web Hosting by West Virginians, for West Virginians: http://wv-www.net
Cocoa programming in Perl: http://camelbones.sourceforge.net

In article <130b7l66kha8f20.TakeThisOut@corp.supernews.com>,
SM Ryan <wyrmwif.TakeThisOut@tango-sierra-oscar-foxtrot-tango.fake.org> wrote:

> I would like to do some code like edit Apache configuration
> that requires uid root. What I can do is just install a setuid
> root and just make the changes unannounced. What I would like
> to do use some function like this
>
> suexec(...) - Display the security dialog and on successful
> identification as an administrator user and password,
> exec the program ... as setuid root.
>
> but after repeated attempts to get through Apple's documentation
> I don't know if the function exists or is possible. Because I do
> have a setuid root installer, I can install setuid root programs,
> I just think it's bad form to run setuid root without the computer's
> owner realizing that I'm doing so and authourising it.

<http://developer.apple.com/samplecode/Security/idxAuthorization-date.html>

hth

Ben

--
If this message helped you, consider buying an item
from my wish list: <http://artins.org/ben/wishlist>

I changed my name: <http://periodic-kingdom.org/People/NameChange.php>

Posted response for google archiving.

# I would like to do some code like edit Apache configuration
# that requires uid root. What I can do is just install a setuid
# root and just make the changes unannounced. What I would like
# to do use some function like this
#
# suexec(...) - Display the security dialog and on successful
# identification as an administrator user and password,
# exec the program ... as setuid root.
#

The answer is AuthorizationExecuteWithPrivileges.


Sherm Pendley <spamtrap DeleteThis @dot-app.org> wrote:

Thanks for directing me to the specific function so I didn't have to wade
through a bunch of irrelevant (to a very specific question) issues about
authorisation and authentication and security servers. It must an Apple
cultural issue to spend an hour not answerring a question that only takes
five seconds to answer.

(Now that I have the function name, I can read the interface and
understand Apple's entire philosophy on setuid programs, never explicitly
stated before, and understand how their security framework rests on that
philosophy and then proceed knowing where I am going to end up, instead
having to meander page after page not knowing if I can even do what I want
to do or if I will spend a week of studying only then to learn if I have
to abandon my strategy. So, yeah, thanks.)

--
SM Ryan http://www.rawbw.com/~wyrmwif/
If your job was as meaningless as theirs, wouldn't you go crazy too?

SM Ryan <wyrmwif.RemoveThis@tango-sierra-oscar-foxtrot-tango.fake.org> writes:

Tsoft, eh? I'll remember that, and make note not to use their products, now
that I've seen their programmers' attitude towards security.

> Posted response for google archiving.

This whole thread is archived. Google knows what I really said - and now it
also knows that you have a habit of misquoting people.

> # I would like to do some code like edit Apache configuration
> # that requires uid root. What I can do is just install a setuid
> # root and just make the changes unannounced. What I would like
> # to do use some function like this
> #
> # suexec(...) - Display the security dialog and on successful
> # identification as an administrator user and password,
> # exec the program ... as setuid root.
> #
>
> The answer is AuthorizationExecuteWithPrivileges.

Try reading the documentation I pointed you to. It describes when to use
that function, when not to, and why it's a bad idea to use it for what
you're describing above.

> Sherm Pendley <spamtrap.RemoveThis@dot-app.org> wrote:

I didn't write a single word of what you're attributing to me here.

> Thanks for directing me to the specific function so I didn't have to wade
> through a bunch of irrelevant (to a very specific question) issues about
> authorisation and authentication and security servers.

The reason I *didn't* point you directly to that function is that the overview
is far from irrelevant. You've ignored the important parts. By doing so, you
run the risk of opening up security flaws in your app.

In other words, your stubborn refusal to read the appropriate docs will
increase your users' risk of having their machines pwn3d. Unless that's
exactly what you want, I strongly suggest that you read the docs to which
I referred you.

> (Now that I have the function name, I can read the interface and
> understand Apple's entire philosophy on setuid programs, never explicitly
> stated before

Actually, by skipping the intro material and going straight to the interface,
you've entirely *missed* the philosophy. To understand that, you'll need to
read the doc I pointed out to you.

> , and understand how their security framework rests on that
> philosophy and then proceed knowing where I am going to end up, instead
> having to meander page after page

Meander page after page? What are you talking about? I pointed you to exactly
the page you needed. It wasn't the one you *wanted*, but that's a different
kettle of fish.

Your basic premise is flawed; what you asked for would not have helped. What
*would* have helped is doing as I suggested, searching Apple's developer site
for "authorization", and reading the *entire* overview that's the first link
returned by that search.

> So, yeah, thanks.

You're quite welcome.

sherm--

--
Web Hosting by West Virginians, for West Virginians: http://wv-www.net
Cocoa programming in Perl: http://camelbones.sourceforge.net

Thanks for the reference.

Ben Artin <macdev RemoveThis @artins.org> wrote:
# In article <130b7l66kha8f20 RemoveThis @corp.supernews.com>,
# SM Ryan <wyrmwif RemoveThis @tango-sierra-oscar-foxtrot-tango.fake.org> wrote:
#
# > I would like to do some code like edit Apache configuration
# > that requires uid root. What I can do is just install a setuid
# > root and just make the changes unannounced. What I would like
# > to do use some function like this
# >
# > suexec(...) - Display the security dialog and on successful
# > identification as an administrator user and password,
# > exec the program ... as setuid root.
# >
# > but after repeated attempts to get through Apple's documentation
# > I don't know if the function exists or is possible. Because I do
# > have a setuid root installer, I can install setuid root programs,
# > I just think it's bad form to run setuid root without the computer's
# > owner realizing that I'm doing so and authourising it.
#
# <http://developer.apple.com/samplecode/Security/idxAuthorization-date.html>
#
# hth
#
# Ben
#
# --
# If this message helped you, consider buying an item
# from my wish list: <http://artins.org/ben/wishlist>
#
# I changed my name: <http://periodic-kingdom.org/People/NameChange.php>

--
SM Ryan http://www.rawbw.com/~wyrmwif/
Elvis was an artist. But that didn't stop him from joining the service
in time of war. That's why he is the king, and you're a shmuck.