While scanning my RSS feeds I ran into this post from JongAm. It’s in Korean so I really don’t know what he’s talking about specifically, but generally I can tell he’s writing about Mac OS X’s authorization mechanisms. (BTW, I love that URL’s and such don’t choke on Hangul).

There’s something at work I’ve been fiddling with the past some days. The issue is that something has to be done and that something requires authorization. Unfortunately, due to how things can work under the hood by the drivers and the OS interacting, it’s possible things could change and thus require the user to authenticate again. This is not a desirable user experience because the need to re-authorize is an under-the-hood detail, not something the user would be aware of. Thus to the user the user experience is randomly, or not, being asked to reauthenticate. Not good.

So what’s the solution? The original thought was to create a little helper tool app that would have its setuid bit set and be installed as root, thus the user would have to authenticate at most one time and the little helper tool would then be authorized “forever” to do the necessary voodoo. A reasonable thing. And setuid tools are not a new concept and are well-established, but still they’re considered tricky and risky because you’re still running code as root which opens up all manner of security issues.

As I searched around for information, I came across Apple’s BetterAuthorizationSample. Obviously written by Quinn (thus you know it will rock), it’s provided as a way to achieve the same results as a setuid tool but in a safer way by use of launchd. What’s even better is BAS provides a library and mechanism to make it easy for you to utilize this functionality in your own code. There is step-by-step documentation that walks you through the whole process, and of course a sample app to demonstrate various levels of complexity. For more information, read the ReadMe, the Design and Implementation Rationale, and the lib HOWTO.

Getting it up and running in my app wasn’t too difficult a task. Just follow the HOWTO guide. It does take a little bit to wrap your head around it all just because there’s a lot going on, but the documentation is thorough and complete. Just do as it says and you’ll be up and running. Works great in my app. I’m pleased.

I will note that if you don’t have an uninstaller for your application, this is one situation that might find a simple uninstaller to be a welcome thing. There are not only files in odd places to remove, but also you will need to unload the Launch Agent from launchd. There’s also the question of removing the entry in /etc/authorization but there’s really no good way to do that. Still, something you need to consider.

All in all a fantastic bit of sample code, and while not necessary for all authorization needs, if you are considering writing a setuid tool for Mac OS X, you should look at this mechanism instead.

Good stuff. Share and enjoy.