NSTask，命令行工具和根目录 [英] NSTask, command line tools and root

问题描述

我正在开发一个需要使用dd的应用程序(我使用应用程序捆绑包中的Shell脚本执行此操作，该脚本从应用程序本身收集参数，进行一些检查，然后启动dd).

I'm working on an app that needs to use dd (I do this with a shell script in the app bundle, that collects parameters from the app itself, makes some checks and then launches dd).

要执行此操作，我需要使用root调用dd，并且我已经在StackOverflow上查看了几种解决方案.在我看来，最简单的实现方法是 http://www.sveinbjorn.org/STPrivilegedTask

To make this operation I need to call dd with root, and I already looked at several solutions on StackOverflow. The simplest to implements seemed to me this one http://www.sveinbjorn.org/STPrivilegedTask

问题是我的NSTask进行了一些复杂的读/写操作(STPrivilegedTask中不存在)，并且不需要都具有特权.

Problem is that my NSTask makes some complex read/write operations (not present in STPrivilegedTask) and does not need to be all privileged.

因此，我在c中编写了一个小的帮助程序工具，该工具使用来自应用程序的正确参数调用脚本.我认为的解决方案是使用STPrivilegedTask一次将我的小助手工具放到SUID上，以便我可以用root用户启动它(以及我的脚本和dd)，并且成功启动后不久，我将助手工具重新设置为非SUID(并且我会在退出应用程序，启动应用程序等方面进行同样的操作，以确保安全).

So I wrote a small helper tool in c that calls my script with correct parameters from my app. The solution I thought is to use the STPrivilegedTask to SUID once the fly my small helper tool, so I can launch it (and so my script and dd) with root, and soon after successful launch I set back the helper tool to non SUID (and I do the same if any error, on app exit, app start etc.. to be safer).

我实现了它并运行得很好，也许它并不完美，但我认为将其全部包含在包中，并使用SUID中的帮助程序工具来确保启动听起来足够安全.

I implemented it and works quite well, maybe it's not perfect but I think that being all inside the bundle, and working with the helper tool in SUID just for the launch sounds safe enough.

有什么想法吗?

谢谢！

推荐答案

您可以使用沙箱在NSTask中运行新流程

You can use a sandbox for running the new Process in your NSTask

sandbox-exec -f <profile> <command>
sandbox-exec -f my_profile.sb "/bin/dd -if=/dev/disks01 of=/dev/target" 

http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man1/sandbox-exec.1.html

您在这里有一些个人资料示例

You have some profile examples in here

/usr/share/sandbox/

您必须给予足够的访问权限以使dd正常工作，我还没有尝试或检查dd的要求，所以我将从以下内容开始:

You have to give enough access for dd to work, I haven't tried or checked what dd requires, I would start with something like this:

(version 1)
(deny default)
(debug deny)
(import "system.sb")
(allow file-read-data file-write-data file-ioctl                 (regex #"^/dev/.*$"))
(allow process-exec (literal "/usr/sbin/helper"))

更新: 值得一提的是，您可以使用 sandbox-exec -p命令

Update: Worth mention, you can use sandbox-exec -p command

这篇关于NSTask，命令行工具和根目录的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！