I am writing an application on OSX by using Qt C++ that needs root privilege.
I believe I can get these needed privilege by displaying a dialog box prompting user name and password, something like this in XAMPP:
How this can be done? Am I have to build the form manually then use setuid, or is there already built in function on the SDK?
Originally, Apple provided a function 'AuthorizationExecuteWithPrivileges' that allowed an application to launch another with root privileges. This has since been deprecated for security reasons.
The dialog here is a bit misleading. Apple provides authorization services that launches the dialog under various different situations, but usually from an application having called the function AuthorizationCopyRights, after having setup rules in an authorization database (the file at /etc/authorization) and having created the Authorization reference with AuthorizationCreate.
Security on OSX is split between a security daemon, a security agent and applications. An application can restrict features using this system, or request authorisation for the user to enter credentials so it can launch a privileged application, which is what you need to do.
It's important to note that the dialog has not been presented by the application, but by the Security Agent, which is solely responsible for the security GUI. The daemon actually processes the authorization.
Apple's method for elevation is to have all applications run with Standard User rights and should a privileged task be required, then this must be factored out into a separate application which is registered to run with launchd and given the elevated privileges. The example Apple provides is SMJobBless.
While the calling code of the example is written in Objective-C, the important functions are just C functions in the SMJobBlessAppController.m file, most notably AuthorizationCreate to create an authorisation reference and the code in the Objective-C function blessHelperWithLabel:error: at the bottom of the file.
Begin with this help document on SMJobBless, which details the process.
Finally, if you're using Qt, you'll need to include Apple's Security framework for the required function calls. To do that, just add the following to your .pro file: -
QMAKE_LFLAGS += -F /System/Library/Frameworks/Security.framework/
LIBS += -framework Security
Related
I wrote a websocket server program running on Windows service.According to project needs, a DLL is called. This DLL needs to read my computer shagn a file under my document.However, the windows service program called DLL can succeed, but DLL failed to read the file under my document. When the server is not running as the windows service, DLL can read the files under my document successfully. I'm so depressed, I don't know why.Who can help me.Thank you
When several users using the same PC, each regular user have a My Document dir, and can't access other user's My Document.
When You run a service, it run by default as Local System or Local Service which are restrict users, and doesn't have access to your My Document dir.
You must think: how the service can choose from all other users in your PC which is the user it should take the file from?
The simple solution is to run the service as your user. You can try it manually by open the service Properties (on services, right click and choose Properties, or double click), choose Log On tab, and fill the acount username and password to your username and password.
A real solution is to place the file in a fixed place, like %LocalAppData%\AppName, not depending on any user.
I started using Eclipse with TFS (Team Foundation Server) to control file versions, but now I need to control the build/compile access. The idea is similar to the version control system, but it is now related to the project and machines.
Is there a way to control/deny the compilation of specific files with a plugin or not inside Eclipse?
It seems what you want is to manage users to access the project. You can add the users to the Readers group or set permission for a single user.
Check this article for more details:
https://msdn.microsoft.com/en-us/library/ms252477.aspx
If you are asking about permissions to repositories, VisualSVN Server fully supports path-based authorization and you can manage it through VisualSVN Server Manager console, Windows PowerShell and Repository Configurator tool.
Read the article KB33 | Understanding VisualSVN Server authorization to learn more about the permissions.
BTW, I second #alroc's comment:
Why would one use a version control system to control what source
files are compiled in the build process?
It seems to me that you are planning to use some awkward approach to control your builds. How does built relate to your version-control system? You should tell the build machine which projects and how to build them. Version control system can only control the authorization part in this case.
Is there a way in C++ to set the Windows system proxy with authentication credentials so it would affect all running programs(browsers, etc...) immediatly but:
Not requiring restarting any browser
Not requiring browser-reauthentication
I am looking really for a system level pre-authenticated proxy.
Thank you for any help. Ask any questions if something is unclear.
Using: c++11, Windows 7
EDIT 1: I need to set this programmatically, so please do not suggest any manual actions.
EDIT 2: Partially acceptable is a way how to set proxy programmatically without pre-authentication but still keeping 1. requirement (Not requiring restarting any browser)
System-level proxy settings are located in registry under \Software\Microsoft\Windows\CurrentVersion\Internet Settings hive in HKLM for all users and HKCU hive for current user.
There is an official instruction how to change it via REG file, you does not need to write any code.
But the main problem is: any application may have its own proxy settings, where it 1) can prefer system level settings but allow to override it by user, 2) not using system settings at all.
In corporate environments this problem solves as:
Internet gateway not allowed directly access to external network any computer except proxy server (Microsoft ISA/Forefront Web Proxy)
Proxy settings in registry are forced to all computers via Group Policies
If user need to run application which can not use system-wide proxy settings - it need to install ISA Firewall Client which intercepts all traffic and authenticate it on the ISA proxy.
So when you use full Microsoft software stack - you still not need to write any code :-)
Moreover, ISA Firewall Client uses undocumented Windows features and it will be too hard to write something to replace it with your own "C++11" skills.
This is on Mac 10.8
I have written Google Chrome Extension and a Native Messaging executable which communicates with the Chrome Extension using Native Messaging. All works fine with my Proof of Concept as part of development.
Issue is that now I want to get it deployed.
I have my in house installer which by which I need to create a com.my_company.my_product.json manifest file inside of this /Library/Google/Chrome/NativeMessagingHosts directory which cannot be accessed unless I ask for the password of the admin user.
I am doing this port as part of migration of NPPlugin to Chrome Extension Native messaging communication which will replace the NPPlugin. NPPlugin can be accessed from both /Library as well as ~/Library which does not require sudo permissions.
Why does the manifest file need to be at root /Library level ad not user ~/library level? If so how can we get this installed on a Mac without bothering the user with admin password which the user will obviously be less likely to share.
If anyone has a solution, the Native Executable is a C++ program that can use Mac API calls.
Your understanding is correct. The Chromium team is investigating user directories as an additional option. Ensuring continuing security is the primary concern. I'll update this answer when there's more to report. (Update 6/1/2014: see Rob W.'s comment to this answer)
I'm building an app that will run on our network for job tracking with two user levels, one for general users and one for administrators.
How are user systems usually implemented in Qt? For example, how are user state and user roles handled? Should I just include a C++ class and set these types of things as properties within that class, or are there established and well documented "best practices" for implementing user systems within Qt?
I also need to be able to share user state and role among various classes. For example, the menu class needs to know the user state & role to know what items to display.
Any help is appreciated!
What you are asking for doesn't make sense in terms of Qt on it's own. Qt is a framework for local client apps. The Qt application displays it's information to only 1 user at a time on one display / desktop at a time.
You framed the question in terms of a networked job tracking application. Lets assume this implies there is some sort of job tracking server. Likewise, let's assume you are writing a client for this server application in Qt. In this model you could let the Qt application login to the server using credentials provided by the user. Then it would be the server's job to tell you whether the user is who they claim to be and what role they have and to enforce any security restrictions.
Since you say you are familiar with web applications, lets draw an analogy. Qt is intended to provide you the tools to write the web browser only; you would still need to provide the the web server and web application to run within it. Thus
Qt application is to web browser as X is to web server.
You have to provide "X", and that is where you implement the user system.
Of course Qt does provide basic support stuff like network sockets, but on it's own I don't think it's well suited to writing a server application.