NSTask, command line tools and root

About

Asked 18/4, 2011 at 0:30 Answered 18/4, 2011 at 9:43

I'm working on an app that needs to use dd (I do this with a shell script in the app bundle, that collects parameters from the app itself, makes some checks and then launches dd).

To make this operation I need to call dd with root, and I already looked at several solutions on StackOverflow. The simplest to implements seemed to me this one http://www.sveinbjorn.org/STPrivilegedTask

Problem is that my NSTask makes some complex read/write operations (not present in STPrivilegedTask) and does not need to be all privileged.

So I wrote a small helper tool in c that calls my script with correct parameters from my app. The solution I thought is to use the STPrivilegedTask to SUID once the fly my small helper tool, so I can launch it (and so my script and dd) with root, and soon after successful launch I set back the helper tool to non SUID (and I do the same if any error, on app exit, app start etc.. to be safer).

I implemented it and works quite well, maybe it's not perfect but I think that being all inside the bundle, and working with the helper tool in SUID just for the launch sounds safe enough.

Any thoughts?

Thanks!

Heckle answered 18/4, 2011 at 0:30 Comment(0)

You can use a sandbox for running the new Process in your NSTask

sandbox-exec -f <profile> <command>
sandbox-exec -f my_profile.sb "/bin/dd -if=/dev/disks01 of=/dev/target"

http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man1/sandbox-exec.1.html

You have some profile examples in here

/usr/share/sandbox/

You have to give enough access for dd to work, I haven't tried or checked what dd requires, I would start with something like this:

(version 1)
(deny default)
(debug deny)
(import "system.sb")
(allow file-read-data file-write-data file-ioctl                 (regex #"^/dev/.*$"))
(allow process-exec (literal "/usr/sbin/helper"))

Update: Worth mention, you can use sandbox-exec -p command

Demo answered 18/4, 2011 at 9:43 Comment(4)

Hi Jsmp, I tried the sandbox system as I used it in the past, but it's not what I need, I just need to execute the task as root (also for other commands I need, like mount and umount etc..). Anyone with some suggestion about my helperTool temporary SUID solution? Possible holes and alternatives? – Heckle 18/4, 2011 at 10:44

Added to this, I implemented in the helperTool also the code to change itself from suided to non suided at the end of it own process. So it gets SUID from the app, it launches the script with correct parameters and makes itself not SUID just after automatically. Seems a good added security step.. – Heckle 18/4, 2011 at 13:6

Hi opoloko, I see you just want a way to keep the file safe. From my point of view there is still the case when a user can kill the app leaving it with SUID before it unsets it. – Demo 20/4, 2011 at 18:10

I have found this bdunagan.com/2008/11/23/… maybe it is useful for you. You can use sudo in your task, and request user authorization to run such task using the security framework. – Demo 20/4, 2011 at 18:12

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags