0

I am developing an OSX application for school where multiple users of the same mac will able to launch the program based on shared configuration (i.e. database connection info). By design, the normal user without administrative privilege should not be allowed to modify the configuration.

Based on unix convention, I am storing the configuration file under /usr/shared/, but this caused another problem: - Even when logged in as administrator, application will not able to write to the location above. Users will have to launch the application with elevated privilege (using sudo) if they need to make changes to the configuration file.

My question is, whether using "sudo" to write to restricted area is a common practice in mac osx ?

YeenFei
  • 3,180
  • 18
  • 26

2 Answers2

1

I would say that using "sudo" on a Mac is only common practice for certain types of users, such as network administrators and users who like to do more than just use standard applications.

I certainly would not expect students and teachers to be using the terminal and sudo.

When developing OSX apps, Apple provides the Authorization Services, from the security framework, for the app to be able to separate privileged features from standard ones and prompt users for their credentials when required.

You will have seen this in the System Preferences panes, where you see the padlock icon. Any application can call upon these services, though I'm not sure if it's possible with Java. This is Apple's recommended method of handling a problem such as this, in addition to factoring out privileged tasks to a separate application with a function they term 'SMJobBless'.

Interestingly, the domain of your question maps directly onto Apple's described scenario of using this system for "Simple, Self-Restricted Applications".

With that being said, if only yourself or other network administrators are going to be modifying the config file, then I'd recommend leaving out any features in the app for modifying it and doing it directly with sudo and a text editor such as vi, when required.

TheDarkKnight
  • 27,181
  • 6
  • 55
  • 85
  • thanks for the info on the apple's authorization services, however it seem that privilege elevation is not possible with plain java. Perhaps we need a native helper tool that main application can delegates privilege actions to (as described as "factored applications" in the same link). – YeenFei Sep 19 '13 at 02:25
0

Definitely, unless you chmod its privilege with sudo(root)

TwoCode
  • 127
  • 7