Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Change Authorization Dialog shown by AuthorizationCreate()

Looking through Apples BetterAuthorizationSample and further Derivatives( http://www.stevestreeting.com/2011/11/25/escalating-privileges-on-mac-os-x-securely-and-without-using-deprecated-methods/ ) I am trying to make a small change to the application and gain better understanding of the whole Security & ServiceManagement framework.. Therefore I proceeded to add an a button which removes the installed Job through the inverse of SMJobBless - SMJobRemove(). Straightforward however the AuthorizationCreate() call displays a dialog that states and requests permission to install a helper and not remove it.

That's the dialog I get (by using kSMRightModifySystemDaemons). As you can see it says that my app tries to add a new helper tool. Which will confuse my users because the app actually tries to remove the installed helper tool.

enter image description here

I'm seeking to find knowledge on how this dialog is changed to reflect my actual action (Job Removal), There are also several other apps which seem to completely customize the dialog - showing their own Custom Label and Buttons..

BOOL doRemoveSystemTool(NSString* label, NSError** error)
{
BOOL result = NO;

AuthorizationItem authItem      = { kSMRightModifySystemDaemons, 0, NULL, 0 };
AuthorizationRights authRights  = { 1, &authItem };
AuthorizationFlags flags        =   kAuthorizationFlagDefaults              |
kAuthorizationFlagInteractionAllowed    |
kAuthorizationFlagPreAuthorize          |
kAuthorizationFlagExtendRights;

AuthorizationRef authRef = NULL;
//Obtain authorization
OSStatus status = AuthorizationCreate(&authRights, kAuthorizationEmptyEnvironment, flags, &authRef);
if (status != errAuthorizationSuccess)
{
    NSLog(@"Failed to create AuthorizationRef, return code %ld", (long)status);
} else
{
    //We have authorization so proceed with removing the Job via SMJobRemove
    result = SMJobRemove(kSMDomainSystemLaunchd, (CFStringRef)label, authRef, YES, (CFErrorRef *)error);
}
AuthorizationFree(authRef, kAuthorizationFlagDefaults);
return result;
}

I have experimented with the authItem changing to kSMRightModifySystemDaemons from kSMRightBlessPrivilegedHelper but all this did was change the dialogue to display 'Add' instead of 'Install'

Would greatly appreciate some assistance here...

like image 384
DavidMIRV Avatar asked Nov 29 '12 21:11

DavidMIRV


1 Answers

I haven't used this before but found your question interesting so I did a little reading of Apple's documentation and based on that I wonder if setting up the environment with a kAuthorizationEnvironmentPrompt would do what you want?

From AuthorizationTags.h:
  The name of the AuthorizationItem that should be passed into the environment 
when specifying a invocation specific additional text.  The value should be a 
localized UTF8 string.

You'd create an AuthorizationItem with this and then an AuthorizationItemSet containing that, and then pass the set into the AuthorizationCreate call for the environment: parameter.

I'd try that.

The other idea I had reading the documentation was to have a command line tool that does the remove and authorize the execution of the command line tool ("SomethingSomethingHelper") which might be less confusing to the user (so using AuthorizationExecuteWithPrivileges or kAuthorizationRightExecute or whatever).

like image 190
Dad Avatar answered Sep 29 '22 21:09

Dad