Execute commands using elevated privileges on Mac OS X, version >= 10.7 (Lion)
-
From Mac OS X 10.7 Lion onward the access to the system-level "Application Support" folder: "/Library/Application Support" is secured with administrator rights. Therefore to alter the contents of this folder, one would need to pass the administrator account's credentials. The folder: "/Users/<user>/Library/Application Support/" does not require elevated privileges when modifying its contents but it is user-level one, not system-level.
The question: what is the most recent, correct and easiest way to write to system-level /Library/Application Support/<company>/... during runtime on Mac OS X, version 10.7 and above?
Found solutions so far:
Use Authorization Services framework and execute privileged commands with "AuthorizationExecuteWithPrivileges":https://developer.apple.com/library/mac/#documentation/Security/Reference/authorization_ref/DeprecationAppendix/AppendixADeprecatedAPI.html#//apple_ref/c/func/AuthorizationExecuteWithPrivileges function. A sample code is listed "here":http://michaelobrien.info/blog/2009/07/authorizationexecutewithprivileges-a-simple-example/. As it becomes obvious from Apple's developer site, "AuthorizationExecuteWithPrivileges is deprecated":http://stackoverflow.com/questions/6841937/authorizationexecutewithprivileges-is-deprecated and thus should not be used.
Another way round is to use the Service Management framework:
- Create a helper application.
- Allow it to execute privileged commands by calling SMJobBless from the actual application.
- Communicate the commands, that you want to execute with elevated privileges, from the actual application to the helper one through XPC
Sample project is provided "here":https://github.com/atnan/SMJobBlessXPC.
I have tested 1) - doesn't work on OS X 10.8. I've started testing 2) but wanted to know whether there are less painful and cumbersome to implement alternatives and whether there are examples for 2).
-
Your only option is 2. Apple felt option 1 was too much of a security threat to their users so they chose to use the Service Management framework. It is way more painful to use, but hey! You chose to develop for Apple :D
-
Hi @napajejenunedk0,
Did you have any luck with this? I'm also facing a similar issue: I need my Qt app to copy some files into the folder of another installed application on the Mac OS. But that folder requires admin rights. On Windows, there are some ways (although not simple) to expose the UAC dialog box to prompt for the admin privileges from the user. But don't yet if it would be even more complicated for the Mac.
-
As far as I can remember SMJobBless requires the application to have developer code signature placed as a file in the app bundle. Currently, I am still using the Authorization services framework.
-
[quote author="napajejenunedk0" date="1348575704"]I have tested 1) - doesn't work on OS X 10.8.
[/quote]Are you sure? I just tried in 10.9 and it works and I never heard anyone on 10.8 complaining.
-
Good remark, since I've tested it as well on 10.9 and works. Don't know how why it didn't work at that moment. Have you tested it on 10.8?