Le 25 janv. 2010 à 07:47, vincent habchi a écrit : > Le 24 janv. 2010 à 22:31, Todd Heberlein a écrit : > >>> I want to allow my cocoa app to be only launched by root/admin users. >>> How can i achieve this? >> >> As I think has already been mentioned, the UNIX approach is to set the >> application's owner as root and then make it only executable by the owner. >> However, Apple largely discourages programmers from developing Cocoa apps >> that will be run with root privileges. > > I know that, but, up to this point, I have failed to find any reasonable > reason ;) that could justify this point of view, especially since it is > always possible to drop root privileges at whatever point, just like postfix > or named do. I don't see why being root is permissible for CLI apps and not > for GUI ones.
FWIW, from AppKit release notes: ------- setuid/setgid apps disallowed As a security measure, SnowLeopard takes steps to prevent applications that use AppKit from running setuid or setgid. If AppKit detects that it is running issetugid(), the following will happen: Under 64 bit, it will log a message and then exit(EXIT_FAILURE). Under 32 bit, it will give the user a chance to authenticate as an administrator. If the attempt succeeds, the app will run as normal; if the user fails to authenticate, or cancels, it will exit(EXIT_FAILURE). If the attempt fails because the authentication dialog could not be shown, then it will perform a linked on or after check. Apps linked before SnowLeopard will be allowed to run; applications linked on or after SnowLeopard will be exited. This only affects applications that have the setuid or setgid Unix permission bit set, or apps that inherit this bit from a fork() of a setugid app. This does not affect applications run via sudo, su, or normally as root ------- So unless you think you know better than Apple what you're doing, never run an GUI application with privileges. Gwynne's anwser give you some reasons why this is bad. -- Jean-Daniel _______________________________________________ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
