views:

260

answers:

1

I'm attempting to execute an uninstaller (written in AppleScript) through AuthorizationExecuteWithPrivileges. I'm setting up my rights after creating an empty auth ref like so:

    char *tool = "/usr/bin/osascript";
    AuthorizationItem items = {kAuthorizationRightExecute, strlen(tool), tool, 0};
    AuthorizationRights rights = {sizeof(items)/sizeof(AuthorizationItem), &items};
    AuthorizationFlags flags = kAuthorizationFlagDefaults |
                               kAuthorizationFlagExtendRights |
                               kAuthorizationFlagPreAuthorize |
                               kAuthorizationFlagInteractionAllowed;
    status = AuthorizationCopyRights(authorizationRef, &rights, NULL, flags, NULL);

Later I call:

    status = AuthorizationExecuteWithPrivileges(authorizationRef, tool, kAuthorizationFlagDefaults, (char *const *)args, NULL);

On Snow Leopard this works fine, but on Leopard I get the following in syslog.log:

Apr 19 15:30:09 hostname /usr/bin/osascript[39226]: OpenScripting.framework - 'gdut' event blocked in process with mixed credentials (issetugid=0 uid=501 euid=0 gid=20 egid=20)
Apr 19 15:30:12: --- last message repeated 1 time ---
...
Apr 19 15:30:12 hostname [0x0-0x2e92e9].com.example.uninstaller[39219]: /var/folders/vm/vmkIi0nYG8mHMrllaXaTgk+++TI/-Tmp-/TestApp_tmpfiles/Uninstall.scpt: 
Apr 19 15:30:12 hostname [0x0-0x2e92e9].com.example.uninstaller[39219]: execution error: «constant afdmasup» doesn’t understand the «event earsffdr» message. (-1708)

After researching this for a few hours my first guess is that Leopard somehow doesn't want to do what I'm doing because it knows it's in a setuid situation and blocks calls that ask about user-specific things in the applescript.

Am I going about this all wrong? I just want to run the equivalent of "sudo /usr/bin/osascript ..."

Edit:

FWIW, the first line that causes the "execution error" is:

set userAppSupportPath to (POSIX path of (path to application support folder from user domain))

However, even with an empty script (on run argv, end run and that's it) I still get the 'gdut' message.

A: 

According to this thread. http://forums.macosxhints.com/showthread.php?t=90952&page=3 It appears that a security update was made to OS X that blocks setuid root scripts from being accessed via AppleScript.

I suspect this mechanism is blocking your code as well.

Unfortunately, I guess that means this is not working "by design".

Michael Lamb
Here is the relevant KB: http://support.apple.com/kb/HT2647 "Description: A design issue exists in the Open Scripting Architecture libraries when determining whether to load scripting addition plugins into applications running with elevated privileges. Sending scripting addition commands to a privileged application may allow the execution of arbitrary code with those privileges. This update addresses the issue by not loading scripting addition plugins into applications running with system privileges." This appears to be exactly what's going on with your code.
Michael Lamb