I need to give a java application super user access to view protected files on a mac
As above. I have scoured the web, i also rang mac support and annoyed a mac (OSX 开发者_Go百科Lion) genius (out of desperation). I have no idea how to do this, I really don't want to have to sit on top of a terminal and give it commands. Has any one encountered this or got a solution?
Try looking at Greg Guerin's AuthKit library. It is a Mac-specific library that wraps Mac OS X Authorization Services.
Here is an example:
import glguerin.authkit.*;
Privilege priv = new Privilege("system.privilege.admin");
Authorization auth = new MacOSXAuthorization();
try
{
// This will cause an authentication prompt to be
// shown to the user, requesting the "system.privilege.admin"
// privilege.
auth.authorize(priv, true);
// If we reach this point, we can execute privileged programs.
// Load the secured file.
Process proc = auth.execPrivileged(new String[] { "/bin/cat", "/root/securefile" });
InputStream inputStream = proc.getInputStream();
// Use standard I/O mechanisms to read the input.
}
catch (UnauthorizedCancellation e)
{
// User chose not to authorize the application.
// Handle appropriately.
}
The auth.authorize()
call will cause the standard "Please enter your password to allow program X to make changes" dialog. The user can cancel if desired, causing glguerin.authkit.UnauthorizedCancellation
to be thrown.
This solution has a huge advantage over using sudo
or setuid
: it only runs the necessary tasks as root.
One last gotcha: the default JNI loader for AuthKit uses the Cocoa/Java bridge, which was removed from Mac OS X as of Snow Leopard. So on recent versions of Mac OS X, the code above will fail with UnsatisfiedLinkError
. To work around this, use the following:
// Put this class somewhere:
public class AuthKitLibLoader extends LibLoader
{
@Override
protected File makeFallbackDir()
{
return new File(".");
}
}
// Then, before calling AuthKit (using the above example), do this:
// Hook in our "Snow Leopard-safe" extension to AuthKit (see below).
System.setProperty("glguerin.util.LibLoader.imp", AuthKitLibLoader.class.getName());
Finally, be sure to read the AuthKit documentation for more detail.
If you run the application as the root user, the application will have full access to everything.
This is a dangerous operation however because it gives the application full privileges.
Another option would be to run it as a user that has the needed permissions to the files in question. This can be done by putting the user or the files in the appropriate group.
You probably need to SETUID the application to root.
> su Enter password: > chown root:wheel myJavaApp > chmod ug+s myJavaApp > exit
Now whenever someone in the wheel group runs myJavaApp, it will run as its owner (root). Just make sure you're in the wheel group (or whatever other group)
Alternatively, you could chmod a+s myJavaApp ... but that would let ANYONE AT ALL run the program as root. I would think carefully about that.
精彩评论