1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "base/mac/authorization_util.h"
7 #import <Foundation/Foundation.h>
12 #include "base/basictypes.h"
13 #include "base/logging.h"
14 #include "base/mac/bundle_locations.h"
15 #include "base/mac/foundation_util.h"
16 #include "base/mac/mac_logging.h"
17 #include "base/mac/scoped_authorizationref.h"
18 #include "base/posix/eintr_wrapper.h"
19 #include "base/strings/string_number_conversions.h"
20 #include "base/strings/string_util.h"
25 AuthorizationRef GetAuthorizationRightsWithPrompt(
26 AuthorizationRights* rights,
28 AuthorizationFlags extraFlags) {
29 // Create an empty AuthorizationRef.
30 ScopedAuthorizationRef authorization;
31 OSStatus status = AuthorizationCreate(NULL,
32 kAuthorizationEmptyEnvironment,
33 kAuthorizationFlagDefaults,
35 if (status != errAuthorizationSuccess) {
36 OSSTATUS_LOG(ERROR, status) << "AuthorizationCreate";
40 AuthorizationFlags flags = kAuthorizationFlagDefaults |
41 kAuthorizationFlagInteractionAllowed |
42 kAuthorizationFlagExtendRights |
43 kAuthorizationFlagPreAuthorize |
46 // product_logo_32.png is used instead of app.icns because Authorization
47 // Services can't deal with .icns files.
49 [base::mac::FrameworkBundle() pathForResource:@"product_logo_32"
51 const char* icon_path_c = [icon_path fileSystemRepresentation];
52 size_t icon_path_length = icon_path_c ? strlen(icon_path_c) : 0;
54 // The OS will append " Type an administrator's name and password to allow
55 // <CFBundleDisplayName> to make changes."
56 NSString* prompt_ns = base::mac::CFToNSCast(prompt);
57 const char* prompt_c = [prompt_ns UTF8String];
58 size_t prompt_length = prompt_c ? strlen(prompt_c) : 0;
60 AuthorizationItem environment_items[] = {
61 {kAuthorizationEnvironmentIcon, icon_path_length, (void*)icon_path_c, 0},
62 {kAuthorizationEnvironmentPrompt, prompt_length, (void*)prompt_c, 0}
65 AuthorizationEnvironment environment = {arraysize(environment_items),
68 status = AuthorizationCopyRights(authorization,
74 if (status != errAuthorizationSuccess) {
75 if (status != errAuthorizationCanceled) {
76 OSSTATUS_LOG(ERROR, status) << "AuthorizationCopyRights";
81 return authorization.release();
84 AuthorizationRef AuthorizationCreateToRunAsRoot(CFStringRef prompt) {
85 // Specify the "system.privilege.admin" right, which allows
86 // AuthorizationExecuteWithPrivileges to run commands as root.
87 AuthorizationItem right_items[] = {
88 {kAuthorizationRightExecute, 0, NULL, 0}
90 AuthorizationRights rights = {arraysize(right_items), right_items};
92 return GetAuthorizationRightsWithPrompt(&rights, prompt, 0);
95 OSStatus ExecuteWithPrivilegesAndGetPID(AuthorizationRef authorization,
96 const char* tool_path,
97 AuthorizationFlags options,
98 const char** arguments,
101 // pipe may be NULL, but this function needs one. In that case, use a local
108 pipe_pointer = &local_pipe;
111 // AuthorizationExecuteWithPrivileges wants |char* const*| for |arguments|,
112 // but it doesn't actually modify the arguments, and that type is kind of
113 // silly and callers probably aren't dealing with that. Put the cast here
114 // to make things a little easier on callers.
115 OSStatus status = AuthorizationExecuteWithPrivileges(authorization,
118 (char* const*)arguments,
120 if (status != errAuthorizationSuccess) {
125 size_t line_length = 0;
126 char* line_c = fgetln(*pipe_pointer, &line_length);
128 if (line_length > 0 && line_c[line_length - 1] == '\n') {
129 // line_c + line_length is the start of the next line if there is one.
130 // Back up one character.
133 std::string line(line_c, line_length);
134 if (!base::StringToInt(line, &line_pid)) {
135 // StringToInt may have set line_pid to something, but if the conversion
136 // was imperfect, use -1.
137 LOG(ERROR) << "ExecuteWithPrivilegesAndGetPid: funny line: " << line;
141 LOG(ERROR) << "ExecuteWithPrivilegesAndGetPid: no line";
145 fclose(*pipe_pointer);
155 OSStatus ExecuteWithPrivilegesAndWait(AuthorizationRef authorization,
156 const char* tool_path,
157 AuthorizationFlags options,
158 const char** arguments,
162 OSStatus status = ExecuteWithPrivilegesAndGetPID(authorization,
168 if (status != errAuthorizationSuccess) {
172 // exit_status may be NULL, but this function needs it. In that case, use a
174 int local_exit_status;
175 int* exit_status_pointer;
177 exit_status_pointer = exit_status;
179 exit_status_pointer = &local_exit_status;
183 pid_t wait_result = HANDLE_EINTR(waitpid(pid, exit_status_pointer, 0));
184 if (wait_result != pid) {
185 PLOG(ERROR) << "waitpid";
186 *exit_status_pointer = -1;
189 *exit_status_pointer = -1;