int main(int argc, char **argv) { char mypath[MAXPATHLEN]; unsigned long mypath_size= sizeof(mypath); OSStatus status; AuthorizationRef auth; int bytesRead; BrokerCtlCommand command; if (_NSGetExecutablePath(mypath, &mypath_size) < 0) { DEBUG("could not get my path"); exit(BrokerCtlCommandInternalError); } AuthorizationExternalForm extAuth; // read bytestream with Auth data if (read(0, &extAuth, sizeof(extAuth)) != sizeof(extAuth)) exit(BrokerCtlCommandInternalError); // bytestream --*poof*--> auth if (AuthorizationCreateFromExternalForm(&extAuth, &auth)) exit(BrokerCtlCommandInternalError); // if we're not being ran as root, spawn a copy that will make us suid root if (geteuid() != 0) { printf("I'm not suided\n"); exit(-1); } /* Read a command object from stdin. */ bytesRead = read(0, &command, sizeof(BrokerCtlCommand)); if (bytesRead == sizeof(BrokerCtlCommand)) { const char *rightName = rightNameForCommand(&command); AuthorizationItem right = { rightName, 0, NULL, 0 } ; AuthorizationRights rights = { 1, &right }; AuthorizationFlags flags = kAuthorizationFlagDefaults | kAuthorizationFlagInteractionAllowed | kAuthorizationFlagExtendRights; if (status = AuthorizationCopyRights(auth, &rights, kAuthorizationEmptyEnvironment, flags, NULL)) { DEBUG("failed authorization in helper: %ld.\n", status); exit(BrokerCtlCommandAuthFailed); } /* Peform the requested command */ if (!performCommand(&command)) exit(BrokerCtlCommandOperationFailed); } else { exit(BrokerCtlCommandChildError); } return BrokerCtlCommandSuccess; }
static OSStatus GetAuthorization (void) { static Boolean sIsAuthorized = false; AuthorizationRights ourAuthRights; AuthorizationFlags ourAuthFlags; AuthorizationItem ourAuthRightsItem[RIGHTS_COUNT]; AuthorizationEnvironment ourAuthEnvironment; AuthorizationItem ourAuthEnvItem[1]; char prompt[] = "BOINC needs to have certain permissions set up.\n\n"; OSStatus err = noErr; if (sIsAuthorized) return noErr; ourAuthRights.count = 0; ourAuthRights.items = NULL; err = AuthorizationCreate (&ourAuthRights, kAuthorizationEmptyEnvironment, kAuthorizationFlagDefaults, &gOurAuthRef); if (err != noErr) { ShowSecurityError("AuthorizationCreate returned error %d", err); return err; } ourAuthRightsItem[0].name = kAuthorizationRightExecute; ourAuthRightsItem[0].value = dsclPath; ourAuthRightsItem[0].valueLength = strlen (dsclPath); ourAuthRightsItem[0].flags = 0; ourAuthRightsItem[1].name = kAuthorizationRightExecute; ourAuthRightsItem[1].value = chmodPath; ourAuthRightsItem[1].valueLength = strlen (chmodPath); ourAuthRightsItem[1].flags = 0; ourAuthRightsItem[2].name = kAuthorizationRightExecute; ourAuthRightsItem[2].value = chownPath; ourAuthRightsItem[2].valueLength = strlen (chownPath); ourAuthRightsItem[2].flags = 0; ourAuthRights.count = RIGHTS_COUNT; ourAuthRights.items = ourAuthRightsItem; ourAuthEnvItem[0].name = kAuthorizationEnvironmentPrompt; ourAuthEnvItem[0].value = prompt; ourAuthEnvItem[0].valueLength = strlen (prompt); ourAuthEnvItem[0].flags = 0; ourAuthEnvironment.count = 1; ourAuthEnvironment.items = ourAuthEnvItem; ourAuthFlags = kAuthorizationFlagInteractionAllowed | kAuthorizationFlagExtendRights; // When this is called from the installer, the installer has already authenticated. // In that case we are already running with full root privileges so AuthorizationCopyRights() // does not request a password from the user again. err = AuthorizationCopyRights (gOurAuthRef, &ourAuthRights, &ourAuthEnvironment, ourAuthFlags, NULL); if (err == noErr) sIsAuthorized = true; return err; }
// throw std::exception on error AuthorizationRef & GetAuth() { if (!_auth) { OSStatus res; QString msg = "Safejumper requires to make some modifications to your network settings.\n\n"; QByteArray ba = msg.toUtf8(); AuthorizationItem environmentItems[] = { {kAuthorizationEnvironmentPrompt, ba.size(), (void*)ba.data(), 0}, // {kAuthorizationEnvironmentIcon, iconPathLength, (void*)iconPathC, 0} }; AuthorizationEnvironment myEnvironment = {1, environmentItems}; AuthorizationFlags myFlags = kAuthorizationFlagDefaults; res = AuthorizationCreate(NULL, &myEnvironment, myFlags, &_AuthorizationRef); if (res != errAuthorizationSuccess) throw std::runtime_error(("AuthorizationCreate() fails with result: " + QString::number(res)).toStdString()); AuthorizationItem myItems = {kAuthorizationRightExecute, 0, NULL, 0}; AuthorizationRights myRights = {1, &myItems}; myFlags = kAuthorizationFlagDefaults | kAuthorizationFlagInteractionAllowed | // kAuthorizationFlagPreAuthorize | kAuthorizationFlagExtendRights; res = AuthorizationCopyRights(_AuthorizationRef, &myRights, &myEnvironment, myFlags, NULL); if (res != errAuthorizationSuccess) throw std::runtime_error(("AuthorizationCopyRights() fails with result: " + QString::number(res)).toStdString()); _auth = true; } return _AuthorizationRef; }
/** * Execute with administrative rights. */ bool MacUninstallApp::ElevatedUninstall(const wxString &pkg, const wxString &pkgid) { // If we are already root, do the uninstall directly if (geteuid() == 0) return DoUninstall(pkg, pkgid); wxString msg = wxString::Format( _("In order to uninstall %s, administrative rights are required.\n\n"), pkg.c_str()); char *prompt = strdup(msg.utf8_str()); OSStatus st; AuthorizationFlags aFlags = kAuthorizationFlagDefaults; AuthorizationRef aRef; AuthorizationItem promptItem = { kAuthorizationEnvironmentPrompt, strlen(prompt), prompt, 0 }; AuthorizationEnvironment aEnv = { 1, &promptItem }; st = AuthorizationCreate(NULL, kAuthorizationEmptyEnvironment, kAuthorizationFlagDefaults, &aRef); if (errAuthorizationSuccess != st) { ::wxLogError(_("Authorization could not be created: %s"), MacAuthError(st).c_str()); return true; } AuthorizationItem aItems = { kAuthorizationRightExecute, 0, NULL, 0 }; AuthorizationRights aRights = { 1, &aItems }; aFlags = kAuthorizationFlagDefaults | kAuthorizationFlagInteractionAllowed | kAuthorizationFlagPreAuthorize | kAuthorizationFlagExtendRights; st = AuthorizationCopyRights(aRef, &aRights, &aEnv, aFlags, NULL ); bool ret = true; if (errAuthorizationSuccess == st) { char *executable = strdup(m_sSelfPath.utf8_str()); char *args[] = { "--batch", NULL }; FILE *pout = NULL; if (!::wxGetEnv(wxT("TMPDIR"), NULL)) ::wxSetEnv(wxT("TMPDIR"), wxFileName::GetTempDir()); ::wxSetEnv(wxT("MACUNINST_ELEVATION_PID"), wxString::Format(wxT("%d"), ::wxGetProcessId())); st = AuthorizationExecuteWithPrivileges(aRef, executable, kAuthorizationFlagDefaults, args, &pout); if (errAuthorizationSuccess == st) { int status; fscanf(pout, "%d %lu %lu", &status, &failed_files, &failed_dirs); ret = (0 == status); } else ::wxLogError(_("Could not execute with administrative rights:\n%s"), MacAuthError(st).c_str()); } else { if (st) { m_bCancelled = (errAuthorizationCanceled == st); if (!m_bCancelled) ::wxLogError(_("Authorization failed: %s"), MacAuthError(st).c_str()); } } AuthorizationFree(aRef, kAuthorizationFlagDefaults); return ret; }
// Based on http://developer.apple.com/documentation/Security/Conceptual/authorization_concepts/03authtasks/authtasks.html#//apple_ref/doc/uid/TP30000995-CH206-TPXREF33 // Note that I tried to implement this in managed code using p/invokes, but I kept // getting kPOSIXErrorENOENT errors on the call to AuthorizationCreate. Not sure // why but opensnoop shows very different behavior between the managed and // unmanaged code. int main(int argc, char* argv[]) { OSStatus err; AuthorizationRef cookie; err = AuthorizationCreate( NULL, kAuthorizationEmptyEnvironment, kAuthorizationFlagDefaults, &cookie); if (err != errAuthorizationSuccess) { fprintf(stderr, "AuthorizationCreate failed with error %ld\n", err); return err; } do { { AuthorizationItem items = {kAuthorizationRightExecute, 0, NULL, 0}; AuthorizationRights rights = {1, &items}; AuthorizationFlags flags = kAuthorizationFlagDefaults | kAuthorizationFlagInteractionAllowed | kAuthorizationFlagPreAuthorize | kAuthorizationFlagExtendRights; err = AuthorizationCopyRights(cookie, &rights, NULL, flags, NULL); if (err != errAuthorizationSuccess) { fprintf(stderr, "AuthorizationCopyRights failed with error %ld\n", err); break; } } { char* args[] = {argv[1], argv[2], NULL}; err = AuthorizationExecuteWithPrivileges( cookie, "/bin/cp", kAuthorizationFlagDefaults, args, NULL); if (err != errAuthorizationSuccess) { fprintf(stderr, "AuthorizationExecuteWithPrivileges failed with error %ld\n", err); break; } } } while (0); AuthorizationFree(cookie, kAuthorizationFlagDefaults); return err; }
JNIEXPORT jboolean JNICALL Java_com_five_onair_server_utils_FileUtils_copyDirectoryLikeRoot (JNIEnv *env, jclass m_class, jstring _from, jstring _dest){ OSStatus myStatus; AuthorizationFlags myFlags = kAuthorizationFlagDefaults; // 1 AuthorizationRef myAuthorizationRef; // 2 myStatus = AuthorizationCreate(NULL, kAuthorizationEmptyEnvironment, // 3 myFlags, &myAuthorizationRef); if (myStatus != errAuthorizationSuccess) return myStatus; AuthorizationItem myItems = {kAuthorizationRightExecute, 0,NULL, 0}; AuthorizationRights myRights = {1, &myItems}; // myFlags = kAuthorizationFlagDefaults | // 6 kAuthorizationFlagInteractionAllowed | kAuthorizationFlagPreAuthorize | kAuthorizationFlagExtendRights; myStatus = AuthorizationCopyRights (myAuthorizationRef, &myRights, NULL, myFlags, NULL ); if (myStatus == errAuthorizationSuccess){ char *from = NULL,*dest = NULL,*flag=NULL; strcpy(from, env->GetStringUTFChars(_from, NULL)); strcpy(dest, env->GetStringUTFChars(_dest, NULL)); strcpy(flag, "-r"); char myToolPath[] = "/bin/cp"; char *myArguments[] = { flag, from, dest, NULL }; FILE *myCommunicationsPipe = NULL; myFlags = kAuthorizationFlagDefaults; // 8 myStatus = AuthorizationExecuteWithPrivileges(myAuthorizationRef, myToolPath, myFlags, myArguments,&myCommunicationsPipe); if (myStatus == errAuthorizationSuccess){ return true; } return false; } AuthorizationFree (myAuthorizationRef, kAuthorizationFlagDefaults); // 10 }
/* * Launches an executable as root on MacOS X. * * The executable and arguments must be provided on the command line. * * This code is heavily inspired from the example at * http://developer.apple.com/documentation/Security/Conceptual/authorization_concepts/03authtasks/chapter_3_section_4.html * */ int main(int argc, const char** argv) { // Check that we have enough arguments if (argc < 3) { return -1; } // Grab an authorization reference OSStatus status; AuthorizationFlags flags = kAuthorizationFlagDefaults; AuthorizationRef authRef; status = AuthorizationCreate(NULL, kAuthorizationEmptyEnvironment, flags, &authRef); if (status != errAuthorizationSuccess) { return status; } // Set up the authorization rights AuthorizationItem authItems = { kAuthorizationRightExecute, 0, NULL, 0 }; AuthorizationRights authRights = { 1, &authItems }; flags = kAuthorizationFlagDefaults | kAuthorizationFlagInteractionAllowed | kAuthorizationFlagPreAuthorize | kAuthorizationFlagExtendRights; status = AuthorizationCopyRights(authRef, &authRights, NULL, flags, NULL); if (status != errAuthorizationSuccess) { return status; } // Prepare the executable + arguments, from the command-line arguments int i; const char* executable = argv[1]; char** arguments = (char**) malloc(sizeof(char*) * (argc - 1)); for (i = 0; i < (argc - 2); ++i) { arguments[i] = (char*) argv[i + 2]; } arguments[argc - 2] = NULL; // Run! flags = kAuthorizationFlagDefaults; status = AuthorizationExecuteWithPrivileges(authRef, executable, flags, arguments, NULL); if (status != errAuthorizationSuccess) { return status; } // Cleanup AuthorizationFree(authRef, kAuthorizationFlagDefaults); return 0; }
Bool Id_AuthCheck(char const *right, // IN char const *localizedDescription, // IN: UTF-8 Bool showDialogIfNeeded) // IN { AuthorizationRef auth; AuthorizationItem rightsItems[1] = { { 0 } }; AuthorizationRights rights; AuthorizationItem environmentItems[1] = { { 0 } }; AuthorizationEnvironment environmentWithDescription = { 0 }; const AuthorizationEnvironment *environment = kAuthorizationEmptyEnvironment; auth = IdAuthGet(); if (!auth) { return FALSE; } rightsItems[0].name = right; rights.items = rightsItems; rights.count = ARRAYSIZE(rightsItems); /* * By default, the API displays a dialog saying "APPLICATIONNAME * requires that you type your password" (if you're an admin; the * message is different if you're not). * * If the localized description is present, the API uses that * description and appends a space followed by the above string. */ if (localizedDescription) { environmentItems[0].name = kAuthorizationEnvironmentPrompt; environmentItems[0].valueLength = strlen(localizedDescription); environmentItems[0].value = (void *)localizedDescription; environmentWithDescription.items = environmentItems; environmentWithDescription.count = ARRAYSIZE(environmentItems); environment = &environmentWithDescription; } /* * TODO: Is this actually thread-safe when multiple threads act on * the same AuthorizationRef? Apple's documentation doesn't * actually say whether it is or is not. */ return AuthorizationCopyRights(auth, &rights, environment, (showDialogIfNeeded ? kAuthorizationFlagInteractionAllowed | kAuthorizationFlagDefaults : kAuthorizationFlagDefaults) | kAuthorizationFlagExtendRights, NULL) == errAuthorizationSuccess; }
bool taskport_auth(void) { OSStatus stat; AuthorizationItem taskport_item[] = {{"system.privilege.taskport:"}}; AuthorizationRights rights = {1, taskport_item}, *out_rights = NULL; AuthorizationRef author; AuthorizationFlags auth_flags = kAuthorizationFlagExtendRights | kAuthorizationFlagPreAuthorize | kAuthorizationFlagInteractionAllowed | (1 << 5); stat = AuthorizationCreate(NULL, kAuthorizationEmptyEnvironment, auth_flags, &author); if(stat != errAuthorizationSuccess) { return false; } stat = AuthorizationCopyRights(author, &rights, kAuthorizationEmptyEnvironment, auth_flags, &out_rights); if(stat != errAuthorizationSuccess) { return false; } return true; }
bool create_symlinks() { AuthorizationFlags flags = kAuthorizationFlagDefaults; AuthorizationRef ref; OSStatus status = AuthorizationCreate(NULL, kAuthorizationEmptyEnvironment, flags, &ref); if (status != errAuthorizationSuccess) return false; AuthorizationItem items = {kAuthorizationRightExecute, 0, NULL, 0}; AuthorizationRights rights = { 1, &items }; flags = kAuthorizationFlagDefaults | kAuthorizationFlagInteractionAllowed | kAuthorizationFlagPreAuthorize | kAuthorizationFlagExtendRights; status = AuthorizationCopyRights(ref, &rights, NULL, flags, NULL); if (status != errAuthorizationSuccess) { AuthorizationFree(ref, kAuthorizationFlagDefaults); return false; } std::string bundlePath = mitsuba::__mts_bundlepath(); std::string path = bundlePath + "/Contents/MacOS/symlinks_install"; std::ostringstream oss; oss << getuid(); std::string uid = oss.str(); char *args[] = { const_cast<char *>(bundlePath.c_str()), const_cast<char *>(uid.c_str()), NULL }; FILE *pipe = NULL; flags = kAuthorizationFlagDefaults; status = AuthorizationExecuteWithPrivileges(ref, const_cast<char *>(path.c_str()), flags, args, &pipe); if (status != errAuthorizationSuccess) { AuthorizationFree(ref, kAuthorizationFlagDefaults); return false; } char buffer[128]; for (;;) { int bytesRead = read(fileno(pipe), buffer, sizeof(buffer)); if (bytesRead<1) break; write(fileno(stdout), buffer, bytesRead); } AuthorizationFree(ref, kAuthorizationFlagDefaults); return true; }
inline Bool16 OSXAuthenticate(StrPtrLen *keyStrPtr) { #if __MacOSX__ // Authorization: AuthRef QWxhZGRpbjpvcGVuIHNlc2FtZQ== Bool16 result = false; if (keyStrPtr == NULL || keyStrPtr->Len == 0) return result; char *encodedKey = keyStrPtr->GetAsCString(); OSCharArrayDeleter encodedKeyDeleter(encodedKey); char *decodedKey = NEW char[Base64decode_len(encodedKey) + 1]; OSCharArrayDeleter decodedKeyDeleter(decodedKey); (void) Base64decode(decodedKey, encodedKey); AuthorizationExternalForm *receivedExtFormPtr = (AuthorizationExternalForm *) decodedKey; AuthorizationRef receivedAuthorization; OSStatus status = AuthorizationCreateFromExternalForm(receivedExtFormPtr, &receivedAuthorization); if (status != errAuthorizationSuccess) return result; status = AuthorizationCopyRights(receivedAuthorization, &sRightSet, kAuthorizationEmptyEnvironment, kAuthorizationFlagExtendRights , NULL); if (status == errAuthorizationSuccess) { result = true; } AuthorizationFree(receivedAuthorization, kAuthorizationFlagDestroyRights); return result; #else return false; #endif }
//private operations jboolean executeCommandWithRoot(char *tool_path,char **arguments){ OSStatus myStatus; AuthorizationFlags myFlags = kAuthorizationFlagDefaults; // 1 AuthorizationRef myAuthorizationRef; // 2 myStatus = AuthorizationCreate(NULL, kAuthorizationEmptyEnvironment, // 3 myFlags, &myAuthorizationRef); if (myStatus != errAuthorizationSuccess) return myStatus; AuthorizationItem myItems = {kAuthorizationRightExecute, 0,NULL, 0}; AuthorizationRights myRights = {1, &myItems}; // myFlags = kAuthorizationFlagDefaults | // 6 kAuthorizationFlagInteractionAllowed | kAuthorizationFlagPreAuthorize | kAuthorizationFlagExtendRights; myStatus = AuthorizationCopyRights (myAuthorizationRef, &myRights, NULL, myFlags, NULL ); if (myStatus == errAuthorizationSuccess){ FILE *myCommunicationsPipe = NULL; myFlags = kAuthorizationFlagDefaults; // 8 myStatus = AuthorizationExecuteWithPrivileges(myAuthorizationRef, tool_path, myFlags, arguments,&myCommunicationsPipe); AuthorizationFree (myAuthorizationRef, kAuthorizationFlagDefaults); if (myStatus == errAuthorizationSuccess){ return JNI_TRUE; } return JNI_FALSE; } AuthorizationFree (myAuthorizationRef, kAuthorizationFlagDefaults); return JNI_FALSE; }
STATIC Boolean authorization_is_valid(const void * auth_data, int auth_data_length) { AuthorizationExternalForm * auth_ext_p; AuthorizationRef authorization; AuthorizationFlags flags; AuthorizationItem item; AuthorizationRights rights; OSStatus status; if (auth_data == NULL || auth_data_length != sizeof(auth_ext_p->bytes)) { syslog(LOG_ERR, "eapolcfg_auth: authorization NULL/invalid size"); return (FALSE); } auth_ext_p = (AuthorizationExternalForm *)auth_data; status = AuthorizationCreateFromExternalForm(auth_ext_p, &authorization); if (status != errAuthorizationSuccess) { syslog(LOG_ERR, "eapolcfg_auth: authorization is invalid (%d)", (int)status); return (FALSE); } rights.count = 1; rights.items = &item; item.name = "system.preferences"; item.value = NULL; item.valueLength = 0; item.flags = 0; flags = kAuthorizationFlagDefaults; flags |= kAuthorizationFlagExtendRights; flags |= kAuthorizationFlagInteractionAllowed; status = AuthorizationCopyRights(authorization, &rights, kAuthorizationEmptyEnvironment, flags, NULL); AuthorizationFree(authorization, kAuthorizationFlagDefaults); return (status == errAuthorizationSuccess); }
// // Perform update authorization processing. // Throws an exception if authorization is denied. // static void authorizeUpdate(SecAssessmentFlags flags, CFDictionaryRef context) { AuthorizationRef authorization = NULL; if (context) if (CFTypeRef authkey = CFDictionaryGetValue(context, kSecAssessmentUpdateKeyAuthorization)) if (CFGetTypeID(authkey) == CFDataGetTypeID()) { CFDataRef authdata = CFDataRef(authkey); MacOSError::check(AuthorizationCreateFromExternalForm((AuthorizationExternalForm *)CFDataGetBytePtr(authdata), &authorization)); } if (authorization == NULL) MacOSError::check(AuthorizationCreate(NULL, NULL, kAuthorizationFlagDefaults, &authorization)); AuthorizationItem right[] = { { "com.apple.security.assessment.update", 0, NULL, 0 } }; AuthorizationRights rights = { sizeof(right) / sizeof(right[0]), right }; MacOSError::check(AuthorizationCopyRights(authorization, &rights, NULL, kAuthorizationFlagExtendRights | kAuthorizationFlagInteractionAllowed, NULL)); MacOSError::check(AuthorizationFree(authorization, kAuthorizationFlagDefaults)); }
bool launcherApplication::Elevate(const StringArray& commandLineArray) { #if defined(JUCE_LINUX) || defined(JUCE_BSD) if (geteuid() == 0) { return true; } String parameters("--user root /usr/bin/env "); const char *var = getenv("DISPLAY"); if (var) { String s("DISPLAY=" + String(var).quoted()); parameters += s + " "; } var = getenv("XAUTHORITY"); if (var) { String s("XAUTHORITY=" + String(var).quoted()); parameters += s + " "; } String launcher(File::getSpecialLocation( File::currentExecutableFile).getFullPathName()); if (launcher.contains(" ")) { launcher = launcher.quoted(); } parameters += String(" ") + launcher; for (int i = 0; i < commandLineArray.size(); i++) { parameters += " "; if (commandLineArray[i].contains(" ")) parameters += commandLineArray[i].quoted(); else parameters += commandLineArray[i]; } File pkexec("/usr/bin/pkexec"); if (pkexec.exists() && pkexec.startAsProcess(parameters)) { quit(); } pkexec = "/usr/local/bin/pkexec"; if (pkexec.exists() && pkexec.startAsProcess(parameters)) { quit(); } #elif defined(JUCE_WINDOWS) BOOL fIsRunAsAdmin = FALSE; DWORD dwError = ERROR_SUCCESS; PSID pAdministratorsGroup = NULL; SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY; if (!AllocateAndInitializeSid(&NtAuthority, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &pAdministratorsGroup)) { dwError = GetLastError(); goto cleanup; } if (!CheckTokenMembership(NULL, pAdministratorsGroup, &fIsRunAsAdmin)) { dwError = GetLastError(); goto cleanup; } cleanup: if (pAdministratorsGroup) { FreeSid(pAdministratorsGroup); pAdministratorsGroup = NULL; } if (dwError != ERROR_SUCCESS) { throw dwError; } if (fIsRunAsAdmin) { return true; } TCHAR szPath[MAX_PATH]; if (!GetModuleFileName(NULL, szPath, ARRAYSIZE(szPath))) { dwError = GetLastError(); throw dwError; } String commandLine; for (int i = 0; i < commandLineArray.size(); i++) { if (commandLineArray[i].contains(" ")) { commandLine += String("\"") + commandLineArray[i] + String("\""); } else { commandLine += commandLineArray[i]; } if (i + 1 < commandLineArray.size()) { commandLine += " "; } } SHELLEXECUTEINFO sei = { 0 }; sei.cbSize = sizeof(SHELLEXECUTEINFO); sei.lpVerb = _T("runas"); sei.lpFile = szPath; sei.lpParameters = commandLine.toUTF8(); sei.nShow = SW_NORMAL; if (ShellExecuteEx(&sei)) { _exit(1); } #elif defined(JUCE_MAC) if (geteuid() == 0) { return true; } String launcher(File::getSpecialLocation( File::currentExecutableFile).getFullPathName()); const char * execpath = launcher.toRawUTF8(); char * args[] = { NULL }; OSStatus err; AuthorizationRef ref; AuthorizationFlags flags; flags = kAuthorizationFlagDefaults; err = AuthorizationCreate(NULL, kAuthorizationEmptyEnvironment, flags, &ref); if ( err != errAuthorizationSuccess ) { quit(); } AuthorizationItem _temp = { kAuthorizationRightExecute, 0, NULL, 0 }; AuthorizationRights rights = { 1, &_temp }; flags = kAuthorizationFlagDefaults | kAuthorizationFlagInteractionAllowed | kAuthorizationFlagPreAuthorize | kAuthorizationFlagExtendRights; err = AuthorizationCopyRights(ref, &rights, NULL, flags, NULL); if ( err != errAuthorizationSuccess ) { AuthorizationFree(ref, kAuthorizationFlagDefaults); quit(); } flags = kAuthorizationFlagDefaults; err = AuthorizationExecuteWithPrivileges(ref, execpath, flags, args, NULL); AuthorizationFree(ref, kAuthorizationFlagDefaults); // Probably overkill. if ( err != errAuthorizationSuccess ) { quit(); } #endif // JUCE_MAC return false; }
static int /* O - 0 if available */ /* 1 if not available */ /* -1 error */ cups_local_auth(http_t *http) /* I - HTTP connection to server */ { #if defined(WIN32) || defined(__EMX__) /* * Currently WIN32 and OS-2 do not support the CUPS server... */ return (1); #else int pid; /* Current process ID */ FILE *fp; /* Certificate file */ char trc[16], /* Try Root Certificate parameter */ filename[1024]; /* Certificate filename */ _cups_globals_t *cg = _cupsGlobals(); /* Global data */ # if defined(HAVE_AUTHORIZATION_H) OSStatus status; /* Status */ AuthorizationItem auth_right; /* Authorization right */ AuthorizationRights auth_rights; /* Authorization rights */ AuthorizationFlags auth_flags; /* Authorization flags */ AuthorizationExternalForm auth_extrn; /* Authorization ref external */ char auth_key[1024]; /* Buffer */ char buffer[1024]; /* Buffer */ # endif /* HAVE_AUTHORIZATION_H */ DEBUG_printf(("7cups_local_auth(http=%p) hostaddr=%s, hostname=\"%s\"", http, httpAddrString(http->hostaddr, filename, sizeof(filename)), http->hostname)); /* * See if we are accessing localhost... */ if (!httpAddrLocalhost(http->hostaddr) && _cups_strcasecmp(http->hostname, "localhost") != 0) { DEBUG_puts("8cups_local_auth: Not a local connection!"); return (1); } # if defined(HAVE_AUTHORIZATION_H) /* * Delete any previous authorization reference... */ if (http->auth_ref) { AuthorizationFree(http->auth_ref, kAuthorizationFlagDefaults); http->auth_ref = NULL; } if (!getenv("GATEWAY_INTERFACE") && httpGetSubField2(http, HTTP_FIELD_WWW_AUTHENTICATE, "authkey", auth_key, sizeof(auth_key))) { status = AuthorizationCreate(NULL, kAuthorizationEmptyEnvironment, kAuthorizationFlagDefaults, &http->auth_ref); if (status != errAuthorizationSuccess) { DEBUG_printf(("8cups_local_auth: AuthorizationCreate() returned %d (%s)", (int)status, cssmErrorString(status))); return (-1); } auth_right.name = auth_key; auth_right.valueLength = 0; auth_right.value = NULL; auth_right.flags = 0; auth_rights.count = 1; auth_rights.items = &auth_right; auth_flags = kAuthorizationFlagDefaults | kAuthorizationFlagPreAuthorize | kAuthorizationFlagInteractionAllowed | kAuthorizationFlagExtendRights; status = AuthorizationCopyRights(http->auth_ref, &auth_rights, kAuthorizationEmptyEnvironment, auth_flags, NULL); if (status == errAuthorizationSuccess) status = AuthorizationMakeExternalForm(http->auth_ref, &auth_extrn); if (status == errAuthorizationSuccess) { /* * Set the authorization string and return... */ httpEncode64_2(buffer, sizeof(buffer), (void *)&auth_extrn, sizeof(auth_extrn)); httpSetAuthString(http, "AuthRef", buffer); DEBUG_printf(("8cups_local_auth: Returning authstring=\"%s\"", http->authstring)); return (0); } else if (status == errAuthorizationCanceled) return (-1); DEBUG_printf(("9cups_local_auth: AuthorizationCopyRights() returned %d (%s)", (int)status, cssmErrorString(status))); /* * Fall through to try certificates... */ } # endif /* HAVE_AUTHORIZATION_H */ # if defined(SO_PEERCRED) && defined(AF_LOCAL) /* * See if we can authenticate using the peer credentials provided over a * domain socket; if so, specify "PeerCred username" as the authentication * information... */ if ( # ifdef HAVE_GSSAPI _cups_strncasecmp(http->fields[HTTP_FIELD_WWW_AUTHENTICATE], "Negotiate", 9) && # endif /* HAVE_GSSAPI */ # ifdef HAVE_AUTHORIZATION_H !httpGetSubField2(http, HTTP_FIELD_WWW_AUTHENTICATE, "authkey", auth_key, sizeof(auth_key)) && # endif /* HAVE_AUTHORIZATION_H */ http->hostaddr->addr.sa_family == AF_LOCAL && !getenv("GATEWAY_INTERFACE")) /* Not via CGI programs... */ { /* * Verify that the current cupsUser() matches the current UID... */ struct passwd *pwd; /* Password information */ const char *username; /* Current username */ username = cupsUser(); if ((pwd = getpwnam(username)) != NULL && pwd->pw_uid == getuid()) { httpSetAuthString(http, "PeerCred", username); DEBUG_printf(("8cups_local_auth: Returning authstring=\"%s\"", http->authstring)); return (0); } } # endif /* SO_PEERCRED && AF_LOCAL */ /* * Try opening a certificate file for this PID. If that fails, * try the root certificate... */ pid = getpid(); snprintf(filename, sizeof(filename), "%s/certs/%d", cg->cups_statedir, pid); if ((fp = fopen(filename, "r")) == NULL && pid > 0) { /* * No certificate for this PID; see if we can get the root certificate... */ DEBUG_printf(("9cups_local_auth: Unable to open file %s: %s", filename, strerror(errno))); # ifdef HAVE_GSSAPI if (!_cups_strncasecmp(http->fields[HTTP_FIELD_WWW_AUTHENTICATE], "Negotiate", 9)) { /* * Kerberos required, don't try the root certificate... */ return (1); } # endif /* HAVE_GSSAPI */ # ifdef HAVE_AUTHORIZATION_H if (httpGetSubField2(http, HTTP_FIELD_WWW_AUTHENTICATE, "authkey", auth_key, sizeof(auth_key))) { /* * Don't use the root certificate as a replacement for an authkey... */ return (1); } # endif /* HAVE_AUTHORIZATION_H */ if (!httpGetSubField2(http, HTTP_FIELD_WWW_AUTHENTICATE, "trc", trc, sizeof(trc))) { /* * Scheduler doesn't want us to use the root certificate... */ return (1); } snprintf(filename, sizeof(filename), "%s/certs/0", cg->cups_statedir); fp = fopen(filename, "r"); } if (fp) { /* * Read the certificate from the file... */ char certificate[33], /* Certificate string */ *certptr; /* Pointer to certificate string */ certptr = fgets(certificate, sizeof(certificate), fp); fclose(fp); if (certptr) { /* * Set the authorization string and return... */ httpSetAuthString(http, "Local", certificate); DEBUG_printf(("8cups_local_auth: Returning authstring=\"%s\"", http->authstring)); return (0); } } return (1); #endif /* WIN32 || __EMX__ */ }
static OSStatus acquireticket_ui(KLPrincipal inPrincipal, KLLoginOptions inLoginOptions, KLPrincipal *outPrincipal, char **outCredCacheName) { AuthorizationRef auth; OSStatus ret; char *princ = NULL; CFDataRef d = NULL; LOG_ENTRY(); if (outPrincipal) *outPrincipal = NULL; if (outCredCacheName) *outCredCacheName = NULL; if (inPrincipal) { ret = heim_krb5_unparse_name(milcontext, inPrincipal, &princ); if (ret) return ret; } ret = AuthorizationCreate(NULL, NULL, kAuthorizationFlagDefaults, &auth); if (ret) { free(princ); return ret; } AuthorizationItem rightItems[1] = { kCoreAuthPanelKerberosRight, 0, NULL, 0 }; AuthorizationRights rights = { sizeof(rightItems[0])/sizeof(rightItems) , rightItems }; AuthorizationItem envItems[3]; AuthorizationEnvironment env = { 0 , envItems }; AuthorizationFlags authFlags = kAuthorizationFlagInteractionAllowed | kAuthorizationFlagExtendRights; if (princ) { envItems[env.count].name = kCoreAuthPanelKerberosPrincipal; envItems[env.count].valueLength = strlen(princ); envItems[env.count].value = princ; envItems[env.count].flags = 0; env.count++; } if (inLoginOptions && inLoginOptions->opt) { CFMutableDictionaryRef dict; dict = CFDictionaryCreateMutable(NULL, 1, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); if (dict == NULL) goto out; if (inLoginOptions->opt->renew_life) { CFStringRef t; t = CFStringCreateWithFormat(NULL, 0, CFSTR("%ld"),(long)inLoginOptions->opt->renew_life); CFDictionarySetValue(dict, CFSTR("renewTime"), t); CFRelease(t); } d = CFPropertyListCreateData(NULL, dict, kCFPropertyListBinaryFormat_v1_0, 0, NULL); CFRelease(dict); envItems[env.count].name = kCoreAuthPanelKerberosOptions; envItems[env.count].valueLength = CFDataGetLength(d); envItems[env.count].value = (void *)CFDataGetBytePtr(d); envItems[env.count].flags = 0; env.count++; } ret = AuthorizationCopyRights(auth, &rights, &env, authFlags, NULL); if (ret == 0 && outPrincipal) { AuthorizationItemSet *info; UInt32 i; ret = AuthorizationCopyInfo(auth, NULL, &info); if (ret) goto out; for(i = 0; i < info->count; i++) { if (strcmp(info->items[i].name, "out-principal") == 0) { char *str; asprintf(&str, "%.*s", (int)info->items[i].valueLength, (char *)info->items[i].value); heim_krb5_parse_name(milcontext, str, outPrincipal); } else if (strcmp(info->items[i].name, "out-cache-name") == 0) { asprintf(outCredCacheName, "%.*s", (int)info->items[i].valueLength, (char *)info->items[i].value); } } AuthorizationFreeItemSet(info); if (*outPrincipal == NULL) ret = EINVAL; } out: if (d) CFRelease(d); AuthorizationFree(auth, kAuthorizationFlagDestroyRights); free(princ); return ret; }
DAReturn DAAuthorize( DASessionRef session, _DAAuthorizeOptions options, DADiskRef disk, uid_t userUID, gid_t userGID, const char * right ) { DAReturn status; status = kDAReturnNotPrivileged; if ( status ) { if ( ( options & _kDAAuthorizeOptionIsOwner ) ) { uid_t diskUID; diskUID = DADiskGetUserUID( disk ); if ( diskUID == userUID ) { status = kDAReturnSuccess; } } } if ( status ) { AuthorizationRef authorization; authorization = DASessionGetAuthorization( session ); if ( authorization ) { AuthorizationFlags flags; AuthorizationItem item; char * name; AuthorizationRights rights; flags = kAuthorizationFlagExtendRights; if ( ( options & _kDAAuthorizeOptionAuthenticateAdministrator ) ) { flags |= kAuthorizationFlagInteractionAllowed; asprintf( &name, "system.volume.workgroup.%s", right ); } else { if ( DADiskGetDescription( disk, kDADiskDescriptionVolumeNetworkKey ) == kCFBooleanTrue ) { asprintf( &name, "system.volume.network.%s", right ); } else { CFTypeRef object; object = DADiskGetDescription( disk, kDADiskDescriptionDeviceProtocolKey ); if ( object && CFEqual( object, CFSTR( kIOPropertyPhysicalInterconnectTypeVirtual ) ) ) { asprintf( &name, "system.volume.virtual.%s", right ); } else { if ( DADiskGetDescription( disk, kDADiskDescriptionMediaRemovableKey ) == kCFBooleanTrue ) { if ( DADiskGetDescription( disk, kDADiskDescriptionMediaTypeKey ) ) { asprintf( &name, "system.volume.optical.%s", right ); } else { asprintf( &name, "system.volume.removable.%s", right ); } } else { if ( DADiskGetDescription( disk, kDADiskDescriptionDeviceInternalKey ) == kCFBooleanTrue ) { asprintf( &name, "system.volume.internal.%s", right ); } else { asprintf( &name, "system.volume.external.%s", right ); } } } } } if ( name ) { item.flags = 0; item.name = name; item.value = NULL; item.valueLength = 0; rights.count = 1; rights.items = &item; status = AuthorizationCopyRights( authorization, &rights, NULL, flags, NULL ); if ( status ) { status = kDAReturnNotPrivileged; } free( name ); } } } return status; }
int main(int argc, char *argv[]) { OSStatus status; AuthorizationRef auth; char *path; struct stat statbuf; char *typeAsString; AuthorizationExternalForm extAuth; // Is this process running as root? if (geteuid() != 0) { fprintf(stderr, "Not running as root\n"); exit(-1); } // Was there one argument? if (argc != 2) { fprintf(stderr, "Usage: remove_statter <dir>\n"); exit(-1); } // Get the path path = argv[1]; // Read the Authorization "byte blob" from our input pipe. if (fread(&extAuth, sizeof(extAuth), 1, stdin) != 1) { fprintf(stderr, "Unable to read authorization\n"); exit(-1); } // Restore the externalized Authorization back to an AuthorizationRef if (AuthorizationCreateFromExternalForm(&extAuth, &auth)) { fprintf(stderr, "Unable to parse authorization data\n"); exit(-1); } // Create the rights structure AuthorizationItem right = { RIGHT, 0, NULL, 0 }; AuthorizationRights rights = { 1, &right }; AuthorizationFlags flags = kAuthorizationFlagDefaults | kAuthorizationFlagExtendRights; fprintf(stderr, "Tool authorizing right %s for command.\n", RIGHT); // Check the authorization if (status = AuthorizationCopyRights(auth, &rights, kAuthorizationEmptyEnvironment, flags, NULL)) { fprintf(stderr, "Tool failed authorization: %ld.\n", status); exit(-1); } // Stat the path if (stat(path, &statbuf)) { fprintf(stderr, "Unable to stat %s", path); exit(-1); } // Write out stat info if (S_ISDIR(statbuf.st_mode)) typeAsString = "NSFileTypeDirectory"; else typeAsString = "NSFileTypeRegular"; fprintf(stdout, "%s\n%lu", typeAsString, (unsigned long)statbuf.st_size); fclose(stdout); // Terminate exit(0); }
OSStatus SecPasswordAction(SecPasswordRef itemRef, CFTypeRef message, UInt32 flags, UInt32 *length, const void **data) { BEGIN_SECAPI Password passwordRef = PasswordImpl::required(itemRef); void *passwordData = NULL; UInt32 passwordLength = 0; bool gotPassword = false; // no flags has no meaning, and there is no apparent default assert( flags ); // fail can only be combined with get or new assert( (flags & kSecPasswordFail) ? ((flags & kSecPasswordGet) || (flags & kSecPasswordNew)) : true ); // XXX/cs replace this with our CFString->UTF8 conversion const char *messageData = NULL; auto_array<char> messageBuffer; if (message && (CFStringGetTypeID() == CFGetTypeID(message))) { messageData = CFStringGetCStringPtr(static_cast<CFStringRef>(message), kCFStringEncodingUTF8); if (messageData == NULL) { CFIndex maxLen = CFStringGetMaximumSizeForEncoding(CFStringGetLength(static_cast<CFStringRef>(message)), kCFStringEncodingUTF8) + 1; messageBuffer.allocate(maxLen); if (CFStringGetCString(static_cast<CFStringRef>(message), messageBuffer.get(), maxLen, kCFStringEncodingUTF8)) messageData = messageBuffer.get(); } } if (passwordRef->useKeychain() && !(flags & kSecPasswordNew) && !(flags & kSecPasswordFail)) { // Pull out data and if it's successful return it if (flags & kSecPasswordGet) { // XXX/cs if there are unsaved changes this doesn't work // so doing a Get followed by a Get|Set will do the wrong thing // check mItem whether it's got data if (passwordRef->getData(length, data)) return errSecSuccess; } // User might cancel here, immediately return that too (it will be thrown) } // If we're still here we're not using the keychain or it wasn't there yet // Do the authorization call to get the password, unless only kSecPasswordSet is specified) if ((flags & kSecPasswordNew) || (flags & kSecPasswordGet)) { AuthorizationRef authRef; OSStatus status = AuthorizationCreate(NULL,NULL,0,&authRef); if (status != errSecSuccess) { MacOSError::throwMe(status); } AuthorizationItem right = { NULL, 0, NULL, 0 }; AuthorizationItemSet rightSet = { 1, &right }; uint32_t reason, tries; bool keychain = 0, addToKeychain = 0; if (passwordRef->useKeychain()) { keychain = 1; addToKeychain = passwordRef->rememberInKeychain(); } else { keychain = 0; addToKeychain = 0; } // Get|Fail conceivable would have it enabled, but since the effect is that it will get overwritten // we'll make the user explicitly do it if (flags & kSecPasswordGet) addToKeychain = 0; // turn it off for old items that weren't successfully retrieved from the keychain if (flags & kSecPasswordFail) // set up retry to reflect failure { tries = 1; if (flags & kSecPasswordNew) reason = 34; // passphraseUnacceptable = 34 passphrase unacceptable for some other reason else reason = 21; // invalidPassphrase = 21 passphrase was wrong } else { reason = 0; tries = 0; } if (flags & kSecPasswordNew) // pick new passphrase right.name = "com.apple.builtin.generic-new-passphrase"; else right.name = "com.apple.builtin.generic-unlock"; bool showPassword = false; AuthorizationItem envRights[6] = { { AGENT_HINT_RETRY_REASON, sizeof(reason), &reason, 0 }, { AGENT_HINT_TRIES, sizeof(tries), &tries, 0 }, { AGENT_HINT_CUSTOM_PROMPT, messageData ? strlen(messageData) : 0, const_cast<char*>(messageData), 0 }, { AGENT_HINT_ALLOW_SHOW_PASSWORD, showPassword ? strlen("YES") : strlen("NO"), const_cast<char *>(showPassword ? "YES" : "NO"), 0 }, { AGENT_HINT_SHOW_ADD_TO_KEYCHAIN, keychain ? strlen("YES") : strlen("NO"), const_cast<char *>(keychain ? "YES" : "NO"), 0 }, { AGENT_ADD_TO_KEYCHAIN, addToKeychain ? strlen("YES") : strlen("NO"), const_cast<char *>(addToKeychain ? "YES" : "NO"), 0 } }; AuthorizationItemSet envSet = { sizeof(envRights) / sizeof(*envRights), envRights }; secdebug("SecPassword", "dialog(%s)%s%s%s.", right.name, tries?" retry":"", keychain?" show-add-keychain":"", addToKeychain?" save-to-keychain":""); status = AuthorizationCopyRights(authRef, &rightSet, &envSet, kAuthorizationFlagDefaults|kAuthorizationFlagInteractionAllowed|kAuthorizationFlagExtendRights, NULL); if (status) { AuthorizationFree(authRef, 0); return status; } // if success pull the data AuthorizationItemSet *returnedInfo; status = AuthorizationCopyInfo(authRef, NULL, &returnedInfo); if (status) { AuthorizationFree(authRef, 0); return status; } if (returnedInfo && (returnedInfo->count > 0)) { for (uint32_t index = 0; index < returnedInfo->count; index++) { AuthorizationItem &item = returnedInfo->items[index]; if (!strcmp(AGENT_PASSWORD, item.name)) { gotPassword = true; passwordLength = (UInt32)item.valueLength; if (passwordLength) { Allocator &allocator = Allocator::standard(); passwordData = allocator.malloc(passwordLength); if (passwordData) memcpy(passwordData, item.value, passwordLength); } if (length) *length = passwordLength; if (data) *data = passwordData; secdebug("SecPassword", "Got password (%u,%p).", (unsigned int)passwordLength, passwordData); } else if (!strcmp(AGENT_ADD_TO_KEYCHAIN, item.name)) { bool remember = (item.value && item.valueLength == strlen("YES") && !memcmp("YES", static_cast<char *>(item.value), item.valueLength)); passwordRef->setRememberInKeychain(remember); if (remember) secdebug("SecPassword", "User wants to add the password to the Keychain."); } } } AuthorizationFreeItemSet(returnedInfo); AuthorizationFree(authRef, 0); } // If we're still here the use gave us his password, store it if keychain is in use if (passwordRef->useKeychain()) { if (passwordRef->rememberInKeychain()) { if (gotPassword) passwordRef->setData(passwordLength, passwordData); if (flags & kSecPasswordSet) { passwordRef->save(); gotPassword = true; } } } if (!gotPassword) { return errAuthorizationDenied; } END_SECAPI }
int main (int argc, const char * argv[]) { OSStatus myStatus; AuthorizationFlags myFlags = kAuthorizationFlagDefaults; // 1 AuthorizationRef myAuthorizationRef; // 2 myStatus = AuthorizationCreate(NULL, kAuthorizationEmptyEnvironment, // 3 myFlags, &myAuthorizationRef); if (myStatus != errAuthorizationSuccess) return myStatus; do { { AuthorizationItem myItems = {kAuthorizationRightExecute, 0, // 4 NULL, 0}; AuthorizationRights myRights = {1, &myItems}; // 5 myFlags = kAuthorizationFlagDefaults | // 6 kAuthorizationFlagInteractionAllowed | kAuthorizationFlagPreAuthorize | kAuthorizationFlagExtendRights; myStatus = AuthorizationCopyRights (myAuthorizationRef, // 7 &myRights, NULL, myFlags, NULL ); } if (myStatus != errAuthorizationSuccess) break; { // Grab the arguent length int size = strlen(argv[1]); // Grab the first argument char myToolPath[size]; strcpy(myToolPath,argv[1]); char **myArguments = (char **)&argv[2]; FILE *myCommunicationsPipe = NULL; char myReadBuffer[128]; myFlags = kAuthorizationFlagDefaults; // 8 myStatus = AuthorizationExecuteWithPrivileges // 9 (myAuthorizationRef, myToolPath, myFlags, myArguments, &myCommunicationsPipe); // Any compile warnings here come from the sample apple code. if (myStatus == errAuthorizationSuccess) for(;;) { int bytesRead = read (fileno (myCommunicationsPipe), myReadBuffer, sizeof (myReadBuffer)); if (bytesRead < 1) break; write (fileno (stdout), myReadBuffer, bytesRead); } } } while (0); AuthorizationFree (myAuthorizationRef, kAuthorizationFlagDefaults); // 10 if (myStatus) printf("Status: %ld\n", myStatus); return myStatus; }
__private_extern__ DAReturn _DAAuthorize( DASessionRef session, _DAAuthorizeOptions options, DADiskRef disk, const char * right ) { DAReturn status; status = kDAReturnNotPrivileged; if ( status ) { if ( ( options & _kDAAuthorizeOptionIsOwner ) ) { uid_t diskUID; status = _DAServerDiskGetUserUID( _DADiskGetSessionID( disk ), _DADiskGetID( disk ), &diskUID ); if ( status ) { return status; } status = kDAReturnNotPrivileged; if ( diskUID == geteuid( ) ) { status = kDAReturnSuccess; } } } if ( status ) { AuthorizationRef authorization; authorization = _DASessionGetAuthorization( session ); if ( authorization ) { CFDictionaryRef description; description = DADiskCopyDescription( disk ); if ( description ) { AuthorizationFlags flags; AuthorizationItem item; char * name; AuthorizationRights rights; flags = kAuthorizationFlagExtendRights | kAuthorizationFlagInteractionAllowed | kAuthorizationFlagPreAuthorize; { CFTypeRef object; object = CFDictionaryGetValue( description, kDADiskDescriptionDeviceProtocolKey ); if ( object && CFEqual( object, CFSTR( kIOPropertyPhysicalInterconnectTypeVirtual ) ) ) { asprintf( &name, "system.volume.virtual.%s", right ); } else { if ( CFDictionaryGetValue( description, kDADiskDescriptionMediaRemovableKey ) == kCFBooleanTrue ) { asprintf( &name, "system.volume.removable.%s", right ); } else { if ( CFDictionaryGetValue( description, kDADiskDescriptionDeviceInternalKey ) == kCFBooleanTrue ) { asprintf( &name, "system.volume.internal.%s", right ); } else { asprintf( &name, "system.volume.external.%s", right ); } } } } if ( name ) { item.flags = 0; item.name = name; item.value = NULL; item.valueLength = 0; rights.count = 1; rights.items = &item; status = AuthorizationCopyRights( authorization, &rights, NULL, flags, NULL ); if ( status ) { status = kDAReturnNotPrivileged; } free( name ); } CFRelease( description ); } } } return status; }