Follow-up: OS X privilege escalation without using deprecated methods

· by Steve · Read in about 2 min · (331 Words)

I posted a few months ago about the problems I’d encountered with performing privileged actions from a Mac OS X app - in my case, installing a command line utility in /usr/local/bin - and that all the examples of this that I’d come across used an approach which was now deprecated. You can find my original post here:

Escalating privileges on Mac OS X securely, and without using deprecated methods.

I had failed to produce a shrink-wrapped working example to go with the discussion, primarily because extracting it into a standalone example would take a while and I made the post a couple of days before I went on holiday. I also didn’t know whether anyone else actually cared about the subject enough for it to be worth me doing it!

Well, perhaps I should have known better, because I’ve had quite a few requests for such an example since then 😀I finally got around to doing this at the weekend - and actually when I came to do it I understood why people had pestered me for it, because it took me a while to get things configured just right in a fresh project! Mostly, it’s that there are quite a few things that can go wrong outside the code, both in the project settings and the plists because of the code signing requirements.

So anyway, here’s the project: PrivilegedHelperExample on Bitbucket. Please make sure to check the ReadMe.txt - despite being shrink-wrapped, you will need to add your own code signing identity before you can compile the code, and you will need to reflect the name of your certificate in a few places, which I’ve listed. I’ve also tried to point you at the relevant pain points you may encounter when replicating the result in a different project.

The majority of this code is just the Apple example code from BetterAuthorizationSample and SMJobBless, grafted together, de-duplicated and tweaked. All the changes I made can be considered public domain.