Root-Rights

[leosok]

Hello All!

I am very glad, that after some tweeking Lazarus is running smoothly in my Mac-VM and I got my program ported. So yes, compile anywhere!

My programm is supposed to turn of the internet. In Windows I'm using netsh to get this done, in Mac my first guess was "ipconfig set en0 NONE" (which works when done with sudo). In Windows i use a Manifest-File to hae my programm running with admin rights. How to i accomplish this task in OsX? I don't think i can do it without root-access.

[BigChimp]

Hava look at the wiki:
http://wiki.lazarus.freepascal.org/Executing_External_Programs#Redirecting_input_and_output_and_running_under_root
... There may be an OSX specific equivalent to policykit... not too knowledgeable about OSX...

[Jonas Maebe]

My programm is supposed to turn of the internet. In Windows I'm using netsh to get this done, in Mac my first guess was "ipconfig set en0 NONE" (which works when done with sudo).

The first paragraph of "man ipconfig" reads

ipconfig is a utility that communicates with the IPConfiguration agent to retrieve and set IP configuration parameters.  It should only be used in a test and debug context.  Using it for any other purpose is strongly discouraged.  Public API's in the SystemConfiguration framework are currently the only supported way to access and control the state of IPConfiguration.

In summary, you should not use it, and use the SystemConfiguration framework instead. How to use it? See http://www.google.com/search?q=site:developer.apple.com+SystemConfiguration

The SystemConfiguration api's are available via the MacOSAll unit in FPC.

[leosok]

@ Jonas Maebe
Thanks, I'll have a look at that! Still i suppose i'll need root access (for example to write to the hosts-files later)

@BigChimp
This article was it! I don't like the "sudo"-method though - 3rd party software asking for your root password feels akward. But there is a Osx-Version of pkit, which is called Authorization Services. Great News is, it seems to be implemented in MacOSAll, although no one seems to haved used it so far (according to google).

I'll try to implement this example: http://michaelobrien.info/blog/2009/07/authorizationexecutewithprivileges-a-simple-example/

I'll keep you updated :-)

[Jonas Maebe]

@ Jonas Maebe
Thanks, I'll have a look at that! Still i suppose i'll need root access (for example to write to the hosts-files later)

If you need to perform a task using elevated privileges, you should use the Authorization framework rather than running an entire application as root. Those api's are also available via the MacOSAll unit.

[leosok]

Trying to get the AuthorizationCreate running, but i have a very strange Error while compiling:

unit1.pas(86,119) Hint: Local variable "myAuthorizationRef" does not seem to be initialized
Undefined symbols:
  "_AuthorizationCreate", referenced from: _UNIT1_TFORM1_$__BUT_GIMMERIGHTSCLICK$TOBJECT in unit1.o
ld: symbol(s) not found
Error: Error while linking

**
this is my code:

procedure TForm1.but_gimmeRightsClick(Sender: TObject);
var myAuthorizationRef: AuthorizationRef;   myStatus:Osstatus;
begin
 mystatus :=  AuthorizationCreate(nil,kAuthorizationEmptyEnvironment , kAuthorizationFlagDefaults, myAuthorizationRef );

 if mystatus = errAuthorizationSuccess then showmessage('created auth!');

end; 

**
Any idea what's wrong here?

[Jonas Maebe]

Add {$linkframework Authorization} to your code. The MacOSAll unit contains declarations for routines from many frameworks, but only links to CoreFoundation and Carbon (to avoid making your program automatically dependent on all frameworks for which declarations are provided by simply adding the MacOSAll unit to your uses clause).4

[leosok]

@Jonas Maebe:
Thanks a lot for your help, but the Compiler is still not happy:

" ld: framework not found Authorization "

[Jonas Maebe]

Sorry, it's part of the security framework, so it has to be {$linkframework Security}

To find out to which a framework a particular API belongs, you can search developer.apple.com for the API name.

[leosok]

@Jonas Maebe

It works!

[leosok]

Hello everyone,
time has passed, but it took me ages to find a workable solution. I did, and I'm back to share:

Code: [Select]

uses unix;

[..]

procedure rootify(rfile:string);
begin

if not FileExists(rfile) then exit;

rfile := ''''+rfile+'''';

fpSystem('osascript -e "do shell script \"sudo chmod u+s '+ rfile +'; sudo chown root '+ rfile +'; \" with administrator privileges without altering line endings" | sed ''$d''');

//Application.MessageBox(pchar('rootyfied: '+rfile),'done.',1);
end;       
Some Explanation: As "Authorization framework" did not work for me, and if one looks into apples examples, it's more than complicated. What is true, is that you don't want all your application running as root, so you need a helper application to preform "admin"-tasks. But how to set the "sticky bit" (run as root, whatever user starts the application) without asking the user for the password? My code uses applescript to ask the user so we have nothing to do with the Authorization and it's as safe as a "setuid" can be. I hope this code well help someone!

leosok

[Jonas Maebe]

Some Explanation: As "Authorization framework" did not work for me, and if one looks into apples examples, it's more than complicated. What is true, is that you don't want all your application running as root, so you need a helper application to preform "admin"-tasks.

That is not a good idea either. The reason is that one small programming error in that helper application means that the entire system can be compromised by a malicious user. Even if all it does is enable internet access and does not contain any bug at all, that means that on a multi-user system an operation that normally would require admin access, will now be possible by every user without having to know an admin password. System administrators will definitely not like that, and it's something you should clearly document/tell the user about.

[leosok]

System administrators will definitely not like that, and it's something you should clearly document/tell the user about.

I get your point, and security is an issue. I want to check the helper tool via a checksum before making it setuid. The Main application will have to authorize to the helpertool (so only my program but not a user itself can call it) and there is no communication with the helpertool but simple command line options (no data is transmitted which could be manipulated). So I think it's fairly safe for a small user base. I will take your advice, and mention this in the readme.

Unfortunatly another problem occured. Although the helpertool starts as root, which I know via  writeln(IntToStr(fpgeteuid)); - it will not have the rights to preform the actions it should.

Code: [Select]

   
    // run the dns server
    writeln('starting the dnsserver');
    fpSystem('./nin_mdns_osx 127.0.0.1 &');

    writeln(fpSystem('ipfw add 27100 fwd 127.0.0.1,53 ip from any to any dst-port 53'));
    writeln(fpSystem('ipfw add 27101 fwd 127.0.0.1,8081 tcp from any to any dst-port 80')); 


 It seems that fpSystem is not transmitting the permissions the helper tool has. When i start it with sudo everything works. Should running as root not be the same as sudo?

[ydk2]

It easy way:

Code: [Select]

fpSystem('security execute-with-privileges /usr/bin/open  /Applications/someapp.app');