1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
|
/*
File: ConfigurationAuthority.c
Abstract: Interface to system security framework that manages access
to protected resources like system configuration preferences.
Copyright: (c) Copyright 2005 Apple Computer, Inc. All rights reserved.
Disclaimer: IMPORTANT: This Apple software is supplied to you by Apple Computer, Inc.
("Apple") in consideration of your agreement to the following terms, and your
use, installation, modification or redistribution of this Apple software
constitutes acceptance of these terms. If you do not agree with these terms,
please do not use, install, modify or redistribute this Apple software.
In consideration of your agreement to abide by the following terms, and subject
to these terms, Apple grants you a personal, non-exclusive license, under Apple's
copyrights in this original Apple software (the "Apple Software"), to use,
reproduce, modify and redistribute the Apple Software, with or without
modifications, in source and/or binary forms; provided that if you redistribute
the Apple Software in its entirety and without modifications, you must retain
this notice and the following text and disclaimers in all such redistributions of
the Apple Software. Neither the name, trademarks, service marks or logos of
Apple Computer, Inc. may be used to endorse or promote products derived from the
Apple Software without specific prior written permission from Apple. Except as
expressly stated in this notice, no other rights or licenses, express or implied,
are granted by Apple herein, including but not limited to any patent rights that
may be infringed by your derivative works or by other works in which the Apple
Software may be incorporated.
The Apple Software is provided by Apple on an "AS IS" basis. APPLE MAKES NO
WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION THE IMPLIED
WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE, REGARDING THE APPLE SOFTWARE OR ITS USE AND OPERATION ALONE OR IN
COMBINATION WITH YOUR PRODUCTS.
IN NO EVENT SHALL APPLE BE LIABLE FOR ANY SPECIAL, INDIRECT, INCIDENTAL OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
ARISING IN ANY WAY OUT OF THE USE, REPRODUCTION, MODIFICATION AND/OR DISTRIBUTION
OF THE APPLE SOFTWARE, HOWEVER CAUSED AND WHETHER UNDER THEORY OF CONTRACT, TORT
(INCLUDING NEGLIGENCE), STRICT LIABILITY OR OTHERWISE, EVEN IF APPLE HAS BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "ConfigurationAuthority.h"
#include "ConfigurationRights.h"
#include <AssertMacros.h>
static AuthorizationRef gAuthRef = 0;
static AuthorizationItem gAuthorizations[] = { { UPDATE_SC_RIGHT, 0, NULL, 0 },
{ EDIT_SYS_KEYCHAIN_RIGHT, 0, NULL, 0 }};
static AuthorizationRights gAuthSet = { sizeof gAuthorizations / sizeof gAuthorizations[0], gAuthorizations };
static CFDictionaryRef CreateRightsDict( CFStringRef prompt)
/* Create a CFDictionary decribing an auth right. See /etc/authorization for examples. */
/* Specifies that the right requires admin authentication, which persists for 5 minutes. */
{
CFMutableDictionaryRef dict = NULL, tmpDict;
CFMutableArrayRef mechanisms;
CFNumberRef timeout;
int val;
tmpDict = CFDictionaryCreateMutable( (CFAllocatorRef) NULL, 0, &kCFCopyStringDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
require( tmpDict != NULL, MakeDictFailed);
CFDictionaryAddValue(tmpDict, CFSTR("class"), CFSTR("user"));
CFDictionaryAddValue(tmpDict, CFSTR("comment"), prompt);
CFDictionaryAddValue(tmpDict, CFSTR("group"), CFSTR("admin"));
mechanisms = CFArrayCreateMutable((CFAllocatorRef) NULL, 1, &kCFTypeArrayCallBacks);
require( mechanisms != NULL, MakeArrayFailed);
CFArrayAppendValue( mechanisms, CFSTR("builtin:authenticate"));
CFDictionaryAddValue( tmpDict, CFSTR("mechanisms"), mechanisms);
val = 300; // seconds
timeout = CFNumberCreate((CFAllocatorRef) NULL, kCFNumberIntType, &val);
require( timeout != NULL, MakeIntFailed);
CFDictionaryAddValue( tmpDict, CFSTR("timeout"), timeout);
CFDictionaryAddValue( tmpDict, CFSTR("shared"), kCFBooleanTrue);
dict = tmpDict;
tmpDict = NULL;
CFRelease( timeout);
MakeIntFailed:
CFRelease( mechanisms);
MakeArrayFailed:
if ( tmpDict)
CFRelease( tmpDict);
MakeDictFailed:
return dict;
}
OSStatus InitConfigAuthority(void)
/* Initialize the authorization record-keeping */
{
OSStatus err;
CFDictionaryRef dict;
CFStringRef rightInfo;
err = AuthorizationCreate((AuthorizationRights*) NULL, (AuthorizationEnvironment*) NULL,
(AuthorizationFlags) 0, &gAuthRef);
require_noerr( err, NewAuthFailed);
err = AuthorizationRightGet( UPDATE_SC_RIGHT, (CFDictionaryRef*) NULL);
if (err == errAuthorizationDenied)
{
rightInfo = CFCopyLocalizedString(CFSTR("Authentication required to set Dynamic DNS preferences."),
CFSTR("Describes operation that requires user authorization"));
require_action( rightInfo != NULL, GetStrFailed, err=coreFoundationUnknownErr;);
dict = CreateRightsDict(rightInfo);
require_action( dict != NULL, GetStrFailed, err=coreFoundationUnknownErr;);
err = AuthorizationRightSet(gAuthRef, UPDATE_SC_RIGHT, dict, (CFStringRef) NULL,
(CFBundleRef) NULL, (CFStringRef) NULL);
CFRelease(rightInfo);
CFRelease(dict);
}
require_noerr( err, AuthSetFailed);
err = AuthorizationRightGet( EDIT_SYS_KEYCHAIN_RIGHT, (CFDictionaryRef*) NULL);
if (err == errAuthorizationDenied)
{
rightInfo = CFCopyLocalizedString( CFSTR("Authentication required to edit System Keychain."),
CFSTR("Describes operation that requires user authorization"));
require_action( rightInfo != NULL, GetStrFailed, err=coreFoundationUnknownErr;);
dict = CreateRightsDict( rightInfo);
require_action( dict != NULL, GetStrFailed, err=coreFoundationUnknownErr;);
err = AuthorizationRightSet(gAuthRef, EDIT_SYS_KEYCHAIN_RIGHT, dict, (CFStringRef) NULL,
(CFBundleRef) NULL, (CFStringRef) NULL);
CFRelease( rightInfo);
CFRelease( dict);
}
require_noerr( err, AuthSetFailed);
AuthSetFailed:
GetStrFailed:
NewAuthFailed:
return err;
}
OSStatus AttemptAcquireAuthority( Boolean allowUI)
/* Try to get permission for privileged ops, either implicitly or by asking the user for */
/* authority to perform operations (if necessary) */
{
AuthorizationFlags allowFlag = allowUI ? kAuthorizationFlagInteractionAllowed : 0;
OSStatus err;
err = AuthorizationCopyRights( gAuthRef, &gAuthSet, (AuthorizationEnvironment*) NULL,
kAuthorizationFlagExtendRights | kAuthorizationFlagPreAuthorize |
allowFlag,
(AuthorizationRights**) NULL);
return err;
}
OSStatus ReleaseAuthority(void)
/* Discard authority to perform operations */
{
(void) AuthorizationFree( gAuthRef, kAuthorizationFlagDefaults);
gAuthRef = 0;
return AuthorizationCreate( (AuthorizationRights*) NULL, (AuthorizationEnvironment*) NULL,
(AuthorizationFlags) 0, &gAuthRef);
}
Boolean CurrentlyAuthorized(void)
{
OSStatus err = AttemptAcquireAuthority(true);
return err == noErr;
}
OSStatus ExternalizeAuthority(AuthorizationExternalForm *pAuth)
/* Package up current authorizations for transfer to another process */
{
return AuthorizationMakeExternalForm(gAuthRef, pAuth);
}
|
