2

As above. I have scoured the web, i also rang mac support and annoyed a mac (OSX Lion) genius (out of desperation). I have no idea how to do this, I really don't want to have to sit on top of a terminal and give it commands. Has any one encountered this or got a solution?

Matt Ball
  • 354,903
  • 100
  • 647
  • 710
Andy
  • 41
  • 1
  • 4
  • 1
    What permissions and owner do the files have that you want to view? What user do you want to do the viewing? What do you mean by viewing? – jackrabbit Sep 13 '11 at 20:47

3 Answers3

9

Try looking at Greg Guerin's AuthKit library. It is a Mac-specific library that wraps Mac OS X Authorization Services.

Here is an example:

import glguerin.authkit.*;

Privilege priv = new Privilege("system.privilege.admin");
Authorization auth = new MacOSXAuthorization();

try
{
  // This will cause an authentication prompt to be
  // shown to the user, requesting the "system.privilege.admin"
  // privilege.
  auth.authorize(priv, true);

  // If we reach this point, we can execute privileged programs.

  // Load the secured file.
  Process proc = auth.execPrivileged(new String[] { "/bin/cat", "/root/securefile" });
  InputStream inputStream = proc.getInputStream();

  // Use standard I/O mechanisms to read the input.
}
catch (UnauthorizedCancellation e)
{
  // User chose not to authorize the application.
  // Handle appropriately.
}

The auth.authorize() call will cause the standard "Please enter your password to allow program X to make changes" dialog. The user can cancel if desired, causing glguerin.authkit.UnauthorizedCancellation to be thrown.

screen shot of Mac OS X authorization prompt

This solution has a huge advantage over using sudo or setuid: it only runs the necessary tasks as root.

One last gotcha: the default JNI loader for AuthKit uses the Cocoa/Java bridge, which was removed from Mac OS X as of Snow Leopard. So on recent versions of Mac OS X, the code above will fail with UnsatisfiedLinkError. To work around this, use the following:

// Put this class somewhere:
public class AuthKitLibLoader extends LibLoader
{
  @Override
  protected File makeFallbackDir()
  {
    return new File(".");
  }
}

// Then, before calling AuthKit (using the above example), do this:

// Hook in our "Snow Leopard-safe" extension to AuthKit (see below).
System.setProperty("glguerin.util.LibLoader.imp", AuthKitLibLoader.class.getName());

Finally, be sure to read the AuthKit documentation for more detail.

Matt Solnit
  • 32,152
  • 8
  • 53
  • 57
  • Well, with your awesome LibLoader hint AuthKit now finds the jnilib, but neither the new nor the old jnilib from Gregory ( http://www.amug.org/~glguerin/sw/#authkit ) works on 10.8 Mountain Lion. Seems to be a 64bit issue... Can someone recompile the jnilib for x86_64 ? – ToFi Feb 03 '13 at 13:53
3

If you run the application as the root user, the application will have full access to everything.

This is a dangerous operation however because it gives the application full privileges.

Another option would be to run it as a user that has the needed permissions to the files in question. This can be done by putting the user or the files in the appropriate group.

cdeszaq
  • 30,869
  • 25
  • 117
  • 173
-1

You probably need to SETUID the application to root.

> su
Enter password:
> chown root:wheel myJavaApp
> chmod ug+s myJavaApp
> exit

Now whenever someone in the wheel group runs myJavaApp, it will run as its owner (root). Just make sure you're in the wheel group (or whatever other group)

Alternatively, you could chmod a+s myJavaApp ... but that would let ANYONE AT ALL run the program as root. I would think carefully about that.

torstenvl
  • 779
  • 7
  • 16