NSTask, command line tools and root

Question

I'm working on an app that needs to use dd (I do this with a shell script in the app bundle, that collects parameters from the app itself, makes some checks and then launches dd).

To make this operation I need to call dd with root, and I already looked at several solutions on StackOverflow. The simplest to implements seemed to me this one http://www.sveinbjorn.org/STPrivilegedTask

Problem is that my NSTask makes some complex read/write operations (not present in STPrivilegedTask) and does not need to be all privileged.

So I wrote a small helper tool in c that calls my script with correct parameters from my app. The solution I thought is to use the STPrivilegedTask to SUID once the fly my small helper tool, so I can launch it (and so my script and dd) with root, and soon after successful launch I set back the helper tool to non SUID (and I do the same if any error, on app exit, app start etc.. to be safer).

I implemented it and works quite well, maybe it's not perfect but I think that being all inside the bundle, and working with the helper tool in SUID just for the launch sounds safe enough.

Any thoughts?

Thanks!

Answer 1

You can use a sandbox for running the new Process in your NSTask

sandbox-exec -f <profile> <command>
sandbox-exec -f my_profile.sb "/bin/dd -if=/dev/disks01 of=/dev/target" 

http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man1/sandbox-exec.1.html

You have some profile examples in here

/usr/share/sandbox/

You have to give enough access for dd to work, I haven't tried or checked what dd requires, I would start with something like this:

(version 1)
(deny default)
(debug deny)
(import "system.sb")
(allow file-read-data file-write-data file-ioctl                 (regex #"^/dev/.*$"))
(allow process-exec (literal "/usr/sbin/helper"))

Update: Worth mention, you can use sandbox-exec -p command