在 Mac 应用程序中提升至管理员权限
我正在制作一个简单的应用程序,可让您快速输入要运行的 shell 命令。 它工作得很好,但是存在 sudo 命令的问题。 目前,它检测到 sudo 命令,然后我尝试让它打开用户密码的授权窗口,就像您在安装程序中看到的那样。
这是检测到它是 sudo 命令后的代码:
SFAuthorization *authorization = [[SFAuthorization alloc] initWithFlags:kAuthorizationFlagPreAuthorize rights:NULL environment:kAuthorizationEmptyEnvironment];
if ([authorization obtainWithRight:"com.mycompany.myapplication" flags:kAuthorizationFlagPreAuthorize error:nil]){
//authorized, now run the command using NSTask.
}else{
//fail
}
现在,据我所知,这是完全错误的。这只是我从文档中拼凑出来的内容。有什么想法吗?
I am making a simple application that lets you quickly enter a shell command to be run.
It works perfectly, however there is the problem of sudo commands.
Currently, it detects a sudo command, and then I try and get it to bring up an authorization window for the user's password, exactly like you would see in Installer.
Here's the code once it detects it is a sudo command:
SFAuthorization *authorization = [[SFAuthorization alloc] initWithFlags:kAuthorizationFlagPreAuthorize rights:NULL environment:kAuthorizationEmptyEnvironment];
if ([authorization obtainWithRight:"com.mycompany.myapplication" flags:kAuthorizationFlagPreAuthorize error:nil]){
//authorized, now run the command using NSTask.
}else{
//fail
}
Now, as far as I know, this is totally and completely wrong. This is just what I pieced together from the documentation. Any ideas?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
您将需要使用 AuthorizationExecuteWithPrivileges 函数,如下所示:
鉴于 BSD 是一朵娇嫩且脾气暴躁的花,我建议不要让用户以 root 身份从应用程序执行任意命令。
/lecture
如果您想限制自己的用户使用自己的程序的功能,则示例中的代码是要走的路的开始。例如,您可能有一个仅允许某些用户更改已保存文件中的数据的应用程序。因此,您需要在安全数据库“com.mycompany.LibraryApp.AlterData”中创建一个条目,并检查用户在尝试更改数据时是否具有该权限。但这是一个完全不同的话题...
希望有帮助,
-p。
You'll want to use the AuthorizationExecuteWithPrivileges function, like this:
Given that BSD is a delicate and grumpy flower I'd recommend not letting a user execute commands arbitrary from the app as root.
/lecture
The code from your example is the beginnings of the way to go if you want to limit the functions of your own program from it's own users. For example, you might have an app that only lets certain users alter data from a saved file. So you'd create an entry in the security database 'com.mycompany.LibraryApp.AlterData' and check to see if the user has that privilege when they try to change the data. But that's a whole different topic...
Hope that helps,
-p.
我知道这是一个非常古老的问题,但对于那些仍在寻找答案的人来说,这里是。 (它使用AppleScript)
当然,用你的脚本替换[YOUR SCRIPT HERE],并确保以可可的方式转义字符串。
如需进一步解释,请评论。
I know it is a really old question, but to those still looking for an answer, here goes. (It uses AppleScript)
Of, course, replace [YOUR SCRIPT HERE] with your script, and be sure to escape the string, the cocoa way.
For further explanation, please comment.
安全很难。我可以解释文档并提供代码片段,但我可能是错的。更糟糕的是,即使我的高级描述是正确的,代码片段中很可能存在一个会破坏安全性的小错误。
如果您要搞乱权限升级,最好的方法是阅读文档并使用提供的示例。
https://developer.apple.com/mac/library/documentation/Security/Conceptual/authorization_concepts/01introduction/introduction.html#//apple_ref/doc/uid/TP30000995-CH204-TP1
Security is hard. I could paraphrase the documentation and provide code snippets, but I would likely be wrong. Worse, even if my high level descriptions were right, there would most likely be a tiny bug in the code snippets that would kill security.
If you are going to mess with privilege escalation, the best approach is to read the docs and use the provided samples.
https://developer.apple.com/mac/library/documentation/Security/Conceptual/authorization_concepts/01introduction/introduction.html#//apple_ref/doc/uid/TP30000995-CH204-TP1