写作与SMJobBless特权辅助工具() [英] Writing a privileged helper tool with SMJobBless()
问题描述
虽然因为Mac OS X Leopard中的API已经开放,有奇怪的是,并就如何正确使用遗憾的是,很少的文档 SMJobBless()创建特权帮手工具。有很多的陷阱,直接从苹果的示例项目复制code时也是如此。幸运的是,我发现我的身边这种方式,并已经得到了基础,帮助我的工具的工作。
Even though the API has been open since Mac OS X Leopard, there's surprisingly, and unfortunately, very little documentation on how to correctly use SMJobBless() for creating privileged helper tools. There are a lot of gotchas, even when copying code directly from Apple's sample project. Luckily, I've found my way around this, and have gotten the basis for my helper tool working.
不过,它似乎 SMJobBless()只能祝福的工具,并将其复制过来,但不运行它。我已经包括code在我的帮助工具的的main()函数应的运行,但不会(因为的NSLog()莫名其妙地没有对信息的点点工作,根据-I 有无的发现 - 我试过的syslog() ING一些Hello World的字符串类型,但没有出现在系统控制台上)。有没有迹象表明辅助工具是在所有已推出。结果
该文档是大多无用。它只是说,经过 SMJobBless()被调用时,辅助工具是就绪,没有指出什么准备好,甚至手段。
However, it would seem that SMJobBless() only blesses the tool and copies it over, but doesn't run it. I've included code in my helper tool's main() function that should run, but doesn't (since NSLog() inexplicably doesn't work–according to the tiny bit of information I have found–I've tried syslog()ing some "Hello world" type strings, but nothing appears on the system console). There's no indication that the helper tool is launched at all.
The documentation is mostly useless. It simply says that after SMJobBless() is called, the helper tool is 'ready', with no indication of what 'ready' even means.
此外,苹果的样品不包括任何的进程间通信code和不能解释一个应该如何用辅助工具进行交互。你使用分布式对象?马赫端口?谁知道?有一个关于如何做到这一点并没有官方消息。
Furthermore, Apple's sample doesn't include any interprocess communication code, and doesn't explain how one is supposed to interact with the helper tool. Do you use Distributed Objects? Mach ports? Who knows? There's no official word on how to do it.
因此,没有人对如何完成这件事的任何信息?我已经证实了辅助工具安装和认证工作,但我根本无法弄清楚如何启动辅助工具,与它交流 - 有简单的文档,这是一个谜,现在在这样一个差距。这是非常令人沮丧;我不能成为的只有的一位与此问题(但有它的很少提及的随时随地的),和 SMJobBless()明明工作的不知何故的,因为它是苹果公司使用。
So, does anyone have any information on how to get this done? I've confirmed that the helper tool is installed, and authentication works, but I simply can't figure out how to launch the helper tool and communicate with it - there's simply such a gap in the documentation that this is a mystery for now. It's very frustrating; I can't be the only one with this problem (but there's little mention of it anywhere), and SMJobBless() obviously works somehow, since it's what Apple uses.
(请不要提 AuthorizationExecuteWithPrivileges()我不使用它。这是德precated,一定要离开,而且是一个重大的安全洞。不,谢谢。)
(Please don't mention AuthorizationExecuteWithPrivileges(). I'm not using it: it's deprecated, sure to go away, and is a major security hole. No thanks.)
推荐答案
XPC是不是,如果你想提升权限(从<一个选项href=\"https://developer.apple.com/library/mac/#documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingXPCServices.html\">https://developer.apple.com/library/mac/#documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingXPCServices.html):
XPC isn't an option if you're trying to elevate privileges (from https://developer.apple.com/library/mac/#documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingXPCServices.html):
在默认情况下,XPC服务在最受限制的环境中运行
可能-沙箱以最小的文件系统访问,网络访问和
等等。提升服务的特权,根不支持。
By default, XPC services are run in the most restricted environment possible—sandboxed with minimal filesystem access, network access, and so on. Elevating a service’s privileges to root is not supported.
SMJobBless将安装一个辅助工具,用的launchd注册它,如苹果提供的SMJobBless例子。诀窍,让你的助手工具,实际上推出是简单地尝试连接到你的助手工具的广告的服务。
SMJobBless will install a helper tool and register it with Launchd, as in the SMJobBless example provided by Apple. The trick to getting your helper tool to actually launch is to simply attempt to connect to your helper tool's advertised services.
有 SSD A WWDC2010例子称那证明通过套接字一个简单的launchd的客户机/服务器模型。这不是从苹果不再,但我发现这里链接:<一个href=\"http://lists.apple.com/archives/macnetworkprog/2011/Jul/msg00005.html\">http://lists.apple.com/archives/macnetworkprog/2011/Jul/msg00005.html
There was a WWDC2010 example called ssd that demonstrated a simple launchd client/server model via sockets. It's not available from Apple any longer, but I've found a link here: http://lists.apple.com/archives/macnetworkprog/2011/Jul/msg00005.html
我已经纳入调度队列服务器code处理从SSD到例如辅助工具在SMJobBless例子,可以证实,我的助手工具确实运行(作为root)时,我的主要的应用程序将尝试连接相应的端口上。参见launchd会在WWDC2010视频,了解与您可以与您的辅助工具(比其他的插座)通信的其他机制
I've incorporated the dispatch queue handling in the server code from the ssd example into the helper tool in the SMJobBless example and can confirm that my helper tool is indeed running (as root) when my main app attempts a connection on the appropriate port. See the WWDC2010 video on Launchd to understand the other mechanisms with which you can communicate with your helper tool (other than sockets).
我不知道我可以合法地重新发布修改后的资源我有,但它应该是相当简单合并两个项目,让你的助手工具的运行。
I'm not sure I can legally redistribute the modified sources I have, but it should be fairly straightforward to merge the two projects and get your helper tool running.
编辑:这是一个例子项目中,我写了一个使用分布式对象的应用程序和助手之间的通信:<一href=\"http://dl.dropbox.com/u/463624/Elevator.zip\">http://dl.dropbox.com/u/463624/Elevator.zip
Here is an example project I wrote that uses a distributed object for communication between the app and helper: http://dl.dropbox.com/u/463624/Elevator.zip
这篇关于写作与SMJobBless特权辅助工具()的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
