Follow-up: OS X privilege escalation without using deprecated methods

I posted a few months ago about the problems I’d encountered with performing privileged actions from a Mac OS X app – in my case, installing a command line utility in /usr/local/bin – and that all the examples of this that I’d come across used an approach which was now deprecated. You can find my original post here:
Escalating privileges on Mac OS X securely, and without using deprecated methods.

I had failed to produce a shrink-wrapped working example to go with the discussion, primarily because extracting it into a standalone example would take a while and I made the post a couple of days before I went on holiday. I also didn’t know whether anyone else actually cared about the subject enough for it to be worth me doing it!

Well, perhaps I should have known better, because I’ve had quite a few requests for such an example since then :) I finally got around to doing this at the weekend – and actually when I came to do it I understood why people had pestered me for it, because it took me a while to get things configured just right in a fresh project! Mostly, it’s that there are quite a few things that can go wrong outside the code, both in the project settings and the plists because of the code signing requirements.

So anyway, here’s the project: PrivilegedHelperExample on Bitbucket. Please make sure to check the ReadMe.txt – despite being shrink-wrapped, you will need to add your own code signing identity before you can compile the code, and you will need to reflect the name of your certificate in a few places, which I’ve listed. I’ve also tried to point you at the relevant pain points you may encounter when replicating the result in a different project.

The majority of this code is just the Apple example code from BetterAuthorizationSample and SMJobBless, grafted together, de-duplicated and tweaked. All the changes I made can be considered public domain.

Enjoy!

9 Comments

  • Coderama
    March 5, 2012 - 10:06 pm | Permalink

    Great work with posting this solution. I am certain it will help many people decipher the Apple documentation.

    I am actually trying to get this to work with a Preferences Pane project except that I just got a response from an Apple developer stating “Currently you can only use SMJobBless from an app; it does not work from a preferences pane” DOH!

  • March 6, 2012 - 9:31 am | Permalink

    Heh, looks like it’s back to the deprecated methods for you then! 😉 Apple should really sort that out for Preference Panes too…

  • Dan
    March 11, 2012 - 4:59 pm | Permalink

    Steve, thanks a lot for this. Your documentation for code signing steps were great too. This works for me while running through the Xcode IDE. I get the success message. However, when I archive it and then run it throws the following error:

    Failed to install privileged helper: Error Domain=kSMErrorDomainFramework Code=3 “The operation couldn’t be completed. (kSMErrorDomainFramework error 3 – The client and tool did not match requirements.)” UserInfo=0x7ffdab55c9e0 {NSDescription=The client and tool did not match requirements.}

    Any ideas on what to do to resolve this?

  • Dan
    March 11, 2012 - 6:04 pm | Permalink

    This step in your readme seemed to actually solve the problem I was having:

    Make sure the product name of the helper is fully qualified (com.company.blah)

    Thanks again!

  • March 12, 2012 - 3:32 pm | Permalink

    @Dan glad you resolved it – yeah this is what I meant by there being lots of little things that can go wrong! :)

  • Dan
    March 16, 2012 - 11:59 am | Permalink

    Thanks again Steve! One last question…

    I am sending arguments to ssexampletool successfully. However, I want to call some “terminal commands” in ssexampletool, similar to using NSTask. If I understand correctly, NSTask is not supported in this type of framework though. So, would I use the system() command or something else?

  • March 16, 2012 - 12:35 pm | Permalink

    ssexampletool is just set up as a basic C command line tool, so it doesn’t link to any of the Foundation Kit etc. However, ssexampletool isn’t really part of the privilege escalation example as such, it’s just the command-line tool that I was installing using those privileges. If you wanted to install something else which was linked to the Foundation Kit etc and so had access to all of that, you could.

  • Willem-Jan
    November 15, 2012 - 10:42 pm | Permalink

    I get this error while running from XCode, like to hear some ideas about this as well :)
    I already checked al the steps over here: http://stackoverflow.com/a/13293719/1053980

  • Pingback: Installing a privileged helper and command line tool « YVS

  • Leave a Reply

    Your email address will not be published. Required fields are marked *

    You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>