Asking user for admin password in sandboxed OSX app

Question

I'm writing an app where I'd like the custom preferences window to ask for an admin password (but never store it) before allowing any changes. Up unitl now I've been using this code snippet:

    OSStatus status;
    AuthorizationRef authorizationRef;

    // AuthorizationCreate and pass NULL as the initial
    // AuthorizationRights set so that the AuthorizationRef gets created
    // successfully, and then later call AuthorizationCopyRights to
    // determine or extend the allowable rights.
    // http://developer.apple.com/qa/qa2001/qa1172.html
    status = AuthorizationCreate(NULL, kAuthorizationEmptyEnvironment, kAuthorizationFlagDefaults, &authorizationRef);
    if (status != errAuthorizationSuccess)
    {
        NSLog(@"Error Creating Initial Authorization: %d", status);
        return status;
    }

    // kAuthorizationRightExecute == "system.privilege.admin"
    AuthorizationItem right = {kAuthorizationRightExecute, 0, NULL, 0};
    AuthorizationRights rights = {1, &right};
    AuthorizationFlags flags = kAuthorizationFlagDefaults | kAuthorizationFlagInteractionAllowed | kAuthorizationFlagPreAuthorize | kAuthorizationFlagExtendRights;

    // Call AuthorizationCopyRights to determine or extend the allowable rights.
    status = AuthorizationCopyRights(authorizationRef, &rights, NULL, flags, NULL);
    if (status != errAuthorizationSuccess)
    {
        NSLog(@"Copy Rights Unsuccessful: %d", status);
    }
    return status;

Which worked fine, presenting a standard os password dialog asking for administrator password entry. The various controls in the preference's nib are enabled/disabled according to the returned status. However, now I'm trying to Sandbox the app and this code always returns errAuthorizationDenied. I've had a look at the doc's for the AuthorizationCopyRights and AuthorizationCreate but I can't see reference to using them in a Sandboxed environemnt.

I've tried varieties of the AuthorizationFlags flags but it's always the same result. Is there a way of modifying the above code to work in Sandbox, or is asking for an admin password just a no-no these days?

Answer 1

I have looked at the docs for sandboxing and the section called Determine Whether Your App is Suitable for Sandboxing immediately answers your question.

From the docs

The following app behaviors are incompatible with App Sandbox:

• Use of Authorization Services

Game over.

In fact, I'm not sure what you are hoping to achieve. Why wouldn't you let the user determine their own custom preferences for the application?