The
Ultimate
Business Machine

Technology, business
and innovation.

And, not least, about
the Mac.

Weblog Archive Cutedge

by: Bernard Teo








Creative Commons License

Copyright © 2003-2012
Bernard Teo
Some Rights Reserved.

The Ultimate Business Machine - Archives

List of Categories : Database * Technology * Commentary * Singapore * Travel *

Thu 02 Feb 2006

About Authorisation Services and the Security Framework

Category : Technology/securityFramework.txt

Over the long Chinese New Year weekend just past, I've also built an experimental version of MailServe that uses Authorisation Services which, together with the Keychain, is part of Cocoa's Security Framework.

I was trying to avoid having to use sudo to change things at the system level but, instead, use a shell tool that has its uid set to root to do all the privileged operations. But a setuid root tool is a dangerous thing. And that's where Authorisation Services come in - to make sure that the user is authorised to perform each privileged operation, and to authenticate that the user is who he says he is. With the Cocoa API's, you get to do all these in an orderly way.

And there are few other benefits to doing things "the right way". If the user is using a Mac that allows him to authenticate using smart cards, finger print or retinal scanning, in place of passwords, my applications will still work without my having to do a thing.

But what I was trying to do now was to avoid holding on to the user's password, which I have to do as long as I have to pass it on to sudo.

I almost got there. It turns out that the postfix command needs to be performed by a superuser. But somehow a setuid root process, which should be considered as executing with the privileges of a superuser, is not considered privileged enough by the postfix command. I still need sudo to run the postfix command in the setuid process, and there's something I'm missing here. I'm so close to getting it done. The code's a lot neater, and I may be able to kill the occasional problems I have with people's passwords not working, once and for all, since I'm using the same authentication services that you use when you log in to your system or change network settings.

When you meet these Security Framework API's the first time, they look very daunting. But there's a way to understand Cocoa if you learn how to skim off the key concepts quickly. Once the concepts are clear, then the more API's you find, and the thicker the documentation, the better it is, because it just means that there are a lot more variations to exploit the power of the tool. I'm just scratching the surface of what Cocoa can do. This is one journey that I'm happy to take one step at a time.

Posted at 8:57AM UTC | permalink

Mac@Work
Put your Mac to Work

Sivasothi.com? Now how would you do something like that?
Weblogs. Download and start a weblog of your own.
A Mac Business Toolbox
A survey of the possibilities
A Business Scenario
How we could use Macs in businesses
VPN Enabler for Mavericks
MailServe for Mavericks
DNS Enabler for Mavericks
DNS Agent for Mavericks
WebMon for Mavericks
Luca for Mavericks
Liya for Mountain Lion & Mavericks
Postfix Enabler for Tiger and Panther
Sendmail Enabler for Jaguar

Services running on this server, a Mac Mini running Mac OS X 10.9.2 Mavericks:

  • Apache 2 Web Server
  • Postfix Mail Server
  • Dovecot IMAP Server
  • Fetchmail
  • SpamBayes Spam Filter
  • Procmail
  • BIND DNS Server
  • DNS Agent
  • WebDAV Server
  • VPN Server
  • PHP-based weblog
  • MySQL database
  • PostgreSQL database

all set up using MailServe, WebMon, DNS Enabler, DNS Agent, VPN Enabler, Liya and our SQL installers, all on Mavericks.