Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

NSTask, command line tools and root

I'm working on an app that needs to use dd (I do this with a shell script in the app bundle, that collects parameters from the app itself, makes some checks and then launches dd).

To make this operation I need to call dd with root, and I already looked at several solutions on StackOverflow. The simplest to implements seemed to me this one http://www.sveinbjorn.org/STPrivilegedTask

Problem is that my NSTask makes some complex read/write operations (not present in STPrivilegedTask) and does not need to be all privileged.

So I wrote a small helper tool in c that calls my script with correct parameters from my app. The solution I thought is to use the STPrivilegedTask to SUID once the fly my small helper tool, so I can launch it (and so my script and dd) with root, and soon after successful launch I set back the helper tool to non SUID (and I do the same if any error, on app exit, app start etc.. to be safer).

I implemented it and works quite well, maybe it's not perfect but I think that being all inside the bundle, and working with the helper tool in SUID just for the launch sounds safe enough.

Any thoughts?

Thanks!

like image 970
opoloko Avatar asked Apr 18 '11 00:04

opoloko


1 Answers

You can use a sandbox for running the new Process in your NSTask

sandbox-exec -f <profile> <command>
sandbox-exec -f my_profile.sb "/bin/dd -if=/dev/disks01 of=/dev/target" 

http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man1/sandbox-exec.1.html

You have some profile examples in here

/usr/share/sandbox/

You have to give enough access for dd to work, I haven't tried or checked what dd requires, I would start with something like this:

(version 1)
(deny default)
(debug deny)
(import "system.sb")
(allow file-read-data file-write-data file-ioctl                 (regex #"^/dev/.*$"))
(allow process-exec (literal "/usr/sbin/helper"))

Update: Worth mention, you can use sandbox-exec -p command

like image 94
jsmp Avatar answered Oct 23 '22 14:10

jsmp