Follow-up: OS X privilege escalation without using deprecated methods

I posted a few months ago about the problems I’d encountered with performing privileged actions from a Mac OS X app – in my case, installing a command line utility in /usr/local/bin – and that all the examples of this that I’d come across used an approach which was now deprecated. You can find my original post here:
Escalating privileges on Mac OS X securely, and without using deprecated methods.

I had failed to produce a shrink-wrapped working example to go with the discussion, primarily because extracting it into a standalone example would take a while and I made the post a couple of days before I went on holiday. I also didn’t know whether anyone else actually cared about the subject enough for it to be worth me doing it!

Well, perhaps I should have known better, because I’ve had quite a few requests for such an example since then :) I finally got around to doing this at the weekend – and actually when I came to do it I understood why people had pestered me for it, because it took me a while to get things configured just right in a fresh project! Mostly, it’s that there are quite a few things that can go wrong outside the code, both in the project settings and the plists because of the code signing requirements.

So anyway, here’s the project: PrivilegedHelperExample on Bitbucket. Please make sure to check the ReadMe.txt – despite being shrink-wrapped, you will need to add your own code signing identity before you can compile the code, and you will need to reflect the name of your certificate in a few places, which I’ve listed. I’ve also tried to point you at the relevant pain points you may encounter when replicating the result in a different project.

The majority of this code is just the Apple example code from BetterAuthorizationSample and SMJobBless, grafted together, de-duplicated and tweaked. All the changes I made can be considered public domain.

Enjoy!

  • Coderama

    Great work with posting this solution. I am certain it will help many people decipher the Apple documentation.

    I am actually trying to get this to work with a Preferences Pane project except that I just got a response from an Apple developer stating “Currently you can only use SMJobBless from an app; it does not work from a preferences pane” DOH!

  • http://www.stevestreeting.com Steve

    Heh, looks like it’s back to the deprecated methods for you then! ;) Apple should really sort that out for Preference Panes too…

  • Dan

    Steve, thanks a lot for this. Your documentation for code signing steps were great too. This works for me while running through the Xcode IDE. I get the success message. However, when I archive it and then run it throws the following error:

    Failed to install privileged helper: Error Domain=kSMErrorDomainFramework Code=3 “The operation couldn’t be completed. (kSMErrorDomainFramework error 3 – The client and tool did not match requirements.)” UserInfo=0x7ffdab55c9e0 {NSDescription=The client and tool did not match requirements.}

    Any ideas on what to do to resolve this?

  • Dan

    This step in your readme seemed to actually solve the problem I was having:

    Make sure the product name of the helper is fully qualified (com.company.blah)

    Thanks again!

  • http://www.stevestreeting.com Steve

    @Dan glad you resolved it – yeah this is what I meant by there being lots of little things that can go wrong! :)

  • Dan

    Thanks again Steve! One last question…

    I am sending arguments to ssexampletool successfully. However, I want to call some “terminal commands” in ssexampletool, similar to using NSTask. If I understand correctly, NSTask is not supported in this type of framework though. So, would I use the system() command or something else?

  • http://www.stevestreeting.com Steve

    ssexampletool is just set up as a basic C command line tool, so it doesn’t link to any of the Foundation Kit etc. However, ssexampletool isn’t really part of the privilege escalation example as such, it’s just the command-line tool that I was installing using those privileges. If you wanted to install something else which was linked to the Foundation Kit etc and so had access to all of that, you could.

  • Willem-Jan

    I get this error while running from XCode, like to hear some ideas about this as well :)
    I already checked al the steps over here: http://stackoverflow.com/a/13293719/1053980

  • Pingback: Installing a privileged helper and command line tool « YVS