In an installer-free, non MAS mac app, I need to let the user do the equivalent of
sudo (cp MyAudioDriver.driver /Library/Audio/Plug-Ins/HAL/ && killall coreaudiod)
so they request the installation of the optional component, see the standard “[App X] wants to make changes, enter a password to continue” and the above happens with elevated privileges.
After looking at the sample code `SMJobBless`, `BetterAuthorizationSample` and `EvenBetterAuthorizationSample` (we don’t talk about plain `AuthorizationSample` any more), the picture that I’m getting is that the solution is a mixture of
1. use SMJobBless to install privileged helper app managed by launchd (this - hopefully - can do the one-liner above)
2. code signing & (mutual?) whitelist to establish trust between app and helper
3. XPC for communication between helper and app (hi, this is the app, please install the thing)
This seems so complicated, is this really the way to do what I want in a non-deprecated fashion? The client justifiably points out that requesting elevated permissions for Accessibility scripting is very easy, but there’s a dedicated API for that.
I got the SMJobBless sample code working, and confusingly, its security dialog says “[App X] wants to install a helper app, enter password” which is not the message I want to give, so hopefully there’s some plist customisation somewhere where I can say “[App X] wants to install an audio component”.
Am I on the right path?
I have many doubts and questions
- XPC to a privileged app is apparently not supported (mentioned here: http://atnan.com/blog/2012/02/29/modern-privileged-helper-tools-using-smjobbless-plus-xpc/)
- can I shell out to the one liner script? it's codesigned...
- aren't helper apps supposed to be long running?
- every other app seems to have the "[App X] wants to make changes" dialog. Does that mean they're using the deprecated AuthorizationExecuteWithPrivileges()? or are they asking AppleScript to run a shell script with elevated privileges?
- the calling app is not a bundle, it's just a binary/CLI tool, that acts as a plug-in for an electron .app package/bundle. can the CLI tool communicate with the helper?
- I'm no security expert, but having a helper app/server running as root & performing commands (in this case file copies to directories owned by root) on behalf of my app seems kinda... insecure.