On Jun 15, 2011, at 9:17 AM, Sean McBride wrote: > Hi all, > > I need to copy files to /Library/Application Support/My Company. For users > with lesser privileges, I'll need to prompt for authorization. > > (I'm not writing an installer. But within my app, I present an open panel > for a user to choose a special config file that needs to be stored where any > user can read it.) > > After googling, it seems the best two choices are BetterAuthorizationSample > and AuthorizationExecuteWithPrivileges(). > > But I'm not sure which to use. > > The BAS example code docs say "You should only use BetterAuthorizationSample > if your application needs ongoing access to privileged operations. [...] On > the other hand, if your application needs elevated privileges for a one-off > task (like installing or uninstalling), you should consider using > AuthorizationExecuteWithPrivileges directly." > > But the docs for AEWP say "This function poses a security concern because it > will indiscriminately run any tool or application, severely increasing the > security risk. You should avoid the use of this function if possible." but > also "You should use this function only to allow installers to run as root". > > BAS seems quite complicated, but reading between the lines it seems AEWP is > discouraged. > > Anyone tried both? Any advice?
You'll probably get a better answer on the apple-cdsa list, since that list is for discussion of the Security framework. But if you're just going to make a one-off invocation of /bin/cp or some other tool in /bin or /usr/bin or /sbin or whatever, then using AEWP() to directly invoke the tool is probably going to be okay. The danger in AEWP() is executing something that might do something malicious, but I think you can trust that what's installed in /bin isn't going to trigger a r00tkit. I've never had any problems directly invoking AEWP() in my SixtyFourSwitcher preference pane. Nick Zitzmann <http://www.chronosnet.com/> _______________________________________________ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
