Mac sudo authorization help

Ketan Shah

Sorry, can you please elaborate what you are exactly asking.

Alicemirror

You have created the shell command that is called in some conditions from inside your QT GUI, as I have understood correctly. Thus what is the code that you have used to launch the shell program from inside the application ?

This was my question.

Ketan Shah

Your script worked, but I didnt used it completely in my Qt app.I had used the following code from your script which was very helpful,

@echo $PASSWORD | sudo -S /Application/apps/apache/bin/httpd@

Actually what I have done is I have build a dialog that will ask the current user for its password and I have stored that password in a variable. After that I have verified it by using the following code,

@QProcess *p = new QProcess;
p->start("bash", QStringList()<<"-c"<<"echo $PASSWORD | sudo -S ls /var/db/shadow/ ; echo $?");
p->waitForStarted(1000);
p->waitForFinished(1000);
QString readcode = p->readAll();@

if the command is executed successfully it will return 0 or else it will return 1.
So if the password is correct than I have stored it in the PASSWORD variable and after that have started apache with that password.

According to you would it be the right procedure to verify the sudo password?

Alicemirror

Yes, it is correct.
Just an advice: in this way you wait for a while the process to finish. Maybe best to manage it as a signal. As a matter of fact the shell call is a secondary process launch. With an event-driven it is sure that you return from the task when the process is finished. Then setup a timer too that after a reasonable period (i.e. 30 seconds) stop the process anyway because something was wrong. This is a general consideration, not for a case so simple.
Add too a Busy indicator so the user see that is waiting for the command sequence compleiton.

Ketan Shah

Thanks for your advice, will surely work on it.

Alicemirror

@Ketan: please set this thread to [Solved}. Thanks.

Ketan Shah

@Alicemirror: Sorry, but how can I set this thread to solved.

Alicemirror

:)
it;s simple: go to the first post (it's your) and click edit.
Correct the title writing [Solved] in front.

Cheers

fluca1978

Just as a side note, being OSX based on Unix, a getent call could retrieve the hashed password and other user information to check in the Qt application. Of course this means that the application is able to re-cypher the plain password so to perform the check. And this will not give any privilege to the application itself.
However, a possible solution to avoid similar situations is to configure the sudo application to not request a password for a specific user, and set the suid of the qt application to such user. Never tried, but should work.
However, the best solution is to let the system ask for the user password!

Alicemirror

Yes I know this. But as you can read in the specifications of the OS documentation (sudo command etc) the general problem of passing the sudo password in a visible way (i.e. saving it in a text file or leaving all the users with the higher privileges) may have a terrible impact on the entire machine...

fluca1978

Well, in any environment having a plain text password saved somewhere is a call for troubles.
I was not saying to use a plain password, but just to cypher the password via md5 or the os alghoritm and check the result against the getent result to see if it is correct. The password could be asked interactively to the user. Again, this has nothing to do with gaining privileges.
Configuring sudo to not require a password is another problem, but could be useful if the user has no machine login. I used it in daemon-like applications, that must be of course well trusted and must run with a nologin user, so to avoid (or delay) a privilege escalation. Of course, it depends on how much you trust your application to make it run suid....

Alicemirror

Ahha ok, this maybe a way. I agree, my post was only an add-on to your previous comment. It will be interesting to require or not the passwor following the directions of the user: if user has setup his machine for auto-login then it should else not.
Consider alsothat this applicaiton launch a system command and it is normal that it wil be done asking for a password. Like when you launch other commands that involve root privileges to be exectued. With sudo, the effect is that the user is only asked for his password but the reality is that you access root-privilege commands.

Ketan Shah

[quote author="Alicemirror" date="1316166789"]Yep
It is clear now

First ifnore cocasudo. To start apache I think that you should do something like the following:
@
$cd /etc/apache2
$sudo
insert password:

---

$./apache2
@
At this point you should know that sudo has more options and try to create a small shell script like the following naming it apachestarter.sh
@
#!/bin/bash
NUMPARMS=1 # Minimum required parameters

get the current user userId

ACTUALUSER=$(whoami)

check for parms

if [ $# -lt "$NUMPARMS" ]
then
echo
echo "Apache starter"
echo
echo "usage: ./apachestarter.sh <password for user $ACTUALUSER>"
echo "password omitted, so insert manually"
read PASSWORD
else
# read password argument
PASSWORD=$1
fi

The following command will run apache with the sudo password without asking nothing

echo $PASSWORD | sudo -S /etc/apache2/apache2
@
Then save this file in the user home folder or somewhere in the user area. Then remember to change the privileges of this command to be executable, i.e.
@
$sudo chmod +x apachestarter.sh
@
[Edit: the previous line has been changed as it is now for a correct and secure operation. See the following posts to understand the reasons]
At this point you can launch your command (that will be part of the package, installed in the installation folder etc.) directly from inside your GUI calling him with the password set by the user.

[/quote]

Hi,
how can I start apache if the sudo has no password(no password is set for user) ?

zidanej

Sorry for hijacking this thread but I'm doing some work along these lines as well. Right now I do a call in one of my functions in my QT application so it's a little like this:

@
char cmdLine[1024];
sprintf(cmdLine, "echo %s | sudo -S somethingthatneedssudo);
system(cmdLine);
@

This is all fine and dandy but the function that I run takes a while and I want to pop open a dialog box that tells the user that it's running with a progressbar. I also want the application to be "responsive" during this time so that there isn't the spinning wheel in the case of Mac OSX. I can run the cmdLine as a background process by adding a "&" to the end of the sudo command which will allow the application to be responsive. However I don't know of a good way of detecting when this process is finished so I can change the dialog to display something that tells the user the process is finished. I tried using QProcess::execute() but that takes the cmdLine string and interprets the command as echo and everything after it as a literal string so it just prints "%s | sudo -S somethingthatneedssudo". Is there a good way to do this that I'm not finding?

[EDIT: code formatting, please wrap in @-tags, Volker]

goetz

This code works for me:

@
void MainWindow::pushButton1Pressed()
{
bool ok;
QString password = QInputDialog::getText(
this,
tr("Password"),
tr("Password:"),
QLineEdit::Normal,
"",
&ok);
if(!ok || password.isEmpty())
return;

// proc is a QProcess pointer defined in the class 
if(!proc) {
    proc = new QProcess(this);
    connect(proc, SIGNAL(finished(int,QProcess::ExitStatus)), this, SLOT(processFinished(int,QProcess::ExitStatus)));
} else {
    // terminate a probably running process
    proc->kill();
}
proc->start("sudo -S id");
proc->write(password.toLocal8Bit());
proc->write("\n");
proc->closeWriteChannel();

}

void MainWindow::processFinished(int exitCode, QProcess::ExitStatus exitStatus)
{
QString finished = QString("exitCode=%1\nstatus=%2\n").arg(exitCode).arg(exitStatus);
finished += proc->readAllStandardOutput();
QMessageBox::information(this, "Process Output", finished);
}
@