Re: Bootstrap then launch with administrative rights

Hi,

please forgive me if this is not posted in the correct format, but I
didn't know how to do it any better (just subscribed to this mailing
list so I don't have the original mail).

> I have made significant progress on this topic :-)
>
> On Windows Vista, the installer extracts a WSH JScript that
> relaunches a JVM with elevated privileges. I suspect that it works
> on XP too but I couldn't test it.

It works on XP but there is a pitfall. A dialog will be display where
you can choose which user account should be used to start the
application. Additionally there is a checkbox where you can whether
your computer and data should be protected from unauthorised program
activity. This is tciked on by default and if it is kept ticked on
then the installer runs into problems installing into the common
C:\Program Files folder. I am not sure if this a problem in just my
system - maybe someone else could try this out and give this a try.


> On Mac OS X, the installer extracts a very small universal binary
> that uses the Security framework, again to ask for elevation.

This is very nice :) However there is again a limitation: It seems
like your tiny app does not work correctly with shell scripts. So any
shell scripts do not inherit the privileges. This explcitly covers the
case where you tell the installer to start shell script as postinstall
(<executable>). This script will not run with the elevated rights.
Would there be any way how to make scripts run with elevated rights as
well?


> In my limited experimentations this worked well.
>
> It can be enabled through a <run-privileged/> tag in the <info>(...)</info> section.

I would suggest to add the option to make this OS-dependent. For
example my installer does not need to have privileged rights on
Windows but needs privileged rights for OSX (missing libraries which
need to be installed). This is currently not possible.


--
Best regards,
 nik.thirtynine                          mailto:nik.thirtynine



---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email

Hi Nik,

> It works on XP but there is a pitfall. A dialog will be display where
> you can choose which user account should be used to start the
> application. Additionally there is a checkbox where you can whether
> your computer and data should be protected from unauthorised program
> activity. This is tciked on by default and if it is kept ticked on
> then the installer runs into problems installing into the common
> C:\Program Files folder. I am not sure if this a problem in just my
> system - maybe someone else could try this out and give this a try.

If you have a better solution for XP then please share it :-)

The good thing is that it works just nicely on Vista.

> This is very nice :) However there is again a limitation: It seems
> like your tiny app does not work correctly with shell scripts. So any
> shell scripts do not inherit the privileges. This explcitly covers the
> case where you tell the installer to start shell script as postinstall
> (<executable>). This script will not run with the elevated rights.
> Would there be any way how to make scripts run with elevated rights as
> well?

See the attached screenshot: I have inserted a call to whoami in
ProcessPanel and the scripts are called as root.

> I would suggest to add the option to make this OS-dependent. For
> example my installer does not need to have privileged rights on
> Windows but needs privileged rights for OSX (missing libraries which
> need to be installed). This is currently not possible.

Agreed. Let's keep it in mind for the next release.

Cheers

--
http://izpack.org/
http://jpz-log.info/
http://julien.ponge.info/


---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email

Hello Julien,

Monday, December 8, 2008, 8:53:51 AM, you wrote:

>> It works on XP but there is a pitfall. A dialog will be display where
>> you can choose which user account should be used to start the
>> application. Additionally there is a checkbox where you can whether
>> your computer and data should be protected from unauthorised program
>> activity. This is tciked on by default and if it is kept ticked on
>> then the installer runs into problems installing into the common
>> C:\Program Files folder. I am not sure if this a problem in just my
>> system - maybe someone else could try this out and give this a try.

> If you have a better solution for XP then please share it  

Unfortunately, I do not have a better solution, otherwise I would had
proposed it :-( I just wanted to point out this possible pitfall.


>> This is very nice   However there is again a limitation: It seems
>> like your tiny app does not work correctly with shell scripts. So
>> any shell scripts do not inherit the privileges. This explcitly
>> covers the case where you tell the installer to start shell script
>> as postinstall (<executable>). This script will not run with the
>> elevated rights. Would there be any way how to make scripts run
>> with elevated rights as well?

> See the attached screenshot: I have inserted a call to whoami in
> ProcessPanel and the scripts are called as root.

Well, obviously then I am doing something wrong. I tried it with a
simple shell script (using the #!/bin/bash she-bang) and it doesn't
work.

Can you try this very simple two-liner?

#!/bin/bash
touch /usr/local/lib/test
ls /usr/local/lib/test

If it works, can you detail out how you achieved this?


>> I would suggest to add the option to make this OS-dependent. For
>> example my installer does not need to have privileged rights on
>> Windows but needs privileged rights for OSX (missing libraries which
>> need to be installed). This is currently not possible.

> Agreed. Let's keep it in mind for the next release.

Sounds good.

Keep up the good work :)



--
Best regards,
 nik.thirtynine                            mailto:nik.thirtynine


---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email

Hi,

I've recently opened http://jira.codehaus.org/browse/IZPACK-217, which is about being asked for admin permissions while the user already has all the permission he needs.
For that matter, I've tried to approach this issue by letting the install.xml define what permissions the installer will need, and the installer will check for these permissions at runtime.

Please find attached a patch which basically implements this behavior. Note that I'm not familiar with IzPack development and I only consider this patch to point to the right direction. It's probably not of good code quality and I haven't tested it too much, but it did the things I wanted it to.

I hope I was able to help.

Thanks,
Kjell


---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email

Will have a look!

On Mon, Dec 8, 2008 at 6:08 PM, Braden Kjell <Kjell.Braden@...> wrote:


--
http://izpack.org/
http://jpz-log.info/
http://julien.ponge.info/

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email

Hello Julien,

Monday, December 8, 2008, 8:53:51 AM, you wrote:

>> This is very nice   However there is again a limitation: It seems
>> like your tiny app does not work correctly with shell scripts. So
>> any shell scripts do not inherit the privileges. This explcitly
>> covers the case where you tell the installer to start shell script
>> as postinstall (<executable>). This script will not run with the
>> elevated rights. Would there be any way how to make scripts run
>> with elevated rights as well?

> See the attached screenshot: I have inserted a call to whoami in
> ProcessPanel and the scripts are called as root.

I have tried it again by calling a simple testscript and executing it
by using run-with-privileges-on-osx but it does not work!

I tried:

===== console output =====

./run-with-privileges ./test.sh bla

cat ./test.sh

#!/bin/bash
whoami > /tmp/me

cat /tmp/me

nik
===== console output =====

As you can see it does not tell that I am root. Also a

./run-with-privileges /bin/bash ./test.sh

gives the same result. Maybe it has something to do with sub processes
not inheriting the user id. Any ideas?

--
Best regards,
 nik.thirtynine                            mailto:nik.thirtynine


---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email

Strange indeed...

I'm a bit busy but will have a look again.

On Sat, Dec 13, 2008 at 5:04 PM,  <nik.thirtynine@...> wrote:


--
http://izpack.org/
http://jpz-log.info/
http://julien.ponge.info/

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email

Hi Nik,

I have tested on OS X and the permissions are indeed not propagated to
the elevated process subprocesses. What's funny is that ProcessPanel
seems to properly propagate them. I am not sure whether this is a bug
or a feature....

Cheers

--
http://izpack.org/
http://jpz-log.info/
http://julien.ponge.info/

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email

Hello Julien,

Monday, December 15, 2008, 2:27:43 PM, you wrote:

> I have tested on OS X and the permissions are indeed not propagated
> to the elevated process subprocesses. What's funny is that
> ProcessPanel seems to properly propagate them. I am not sure whether
> this is a bug or a feature....

Thanks for taking the time to confirm this.

Is there maybe a special OSX way how to trigger a shell skript? Maybe
this convention has to be used to make the shell skript inherit the
user rights...?


--
Best regards,
 nik.thirtynine                            mailto:nik.thirtynine


---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email

Hello Julien,

Monday, December 15, 2008, 2:27:43 PM, you wrote:

> Hi Nik,

> I have tested on OS X and the permissions are indeed not propagated to
> the elevated process subprocesses. What's funny is that ProcessPanel
> seems to properly propagate them. I am not sure whether this is a bug
> or a feature....

okay, I have found a workaround. What I am doing is basically I am
starting a shell script by iZPack with normal user rights postinstall.
This shell script calls an Apple Script which calls another shell
script (actually it is the same shell script just with different
parameters), and this Apple Script asks for user elevation. The shell
script runs then as root. Works like a charm.

Is there any interest about how the shell script and the Apple Script
looks like? Maybe this can be handy for some iZPack scripts?

Regards,


Nik

--
Best regards,
 nik.thirtynine                            mailto:nik.thirtynine


---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email

Hi Nik,

> Is there any interest about how the shell script and the Apple Script
> looks like? Maybe this can be handy for some iZPack scripts?

Yes, please :-)

There may be also a solution to propagate the privileged permissions
through the Security Framework, but I am no expert here.

Cheers

--
http://izpack.org/
http://jpz-log.info/
http://julien.ponge.info/

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email