I'm building a tool for admins in the enterprise context. The app needs to do some things as root, such as executing a script. I was hoping to implement a workflow where the user clicks a button, then will be shown the authentication prompt, enter the credentials and then execute the desired action. However, I couldn't find a way to implement this. AuthorizationExecuteWithPrivileges looked promising, but that's deprecated since 10.7. I've now tried to use a launch daemon that's contained in the app bundle with XPC, but that seems overly complicated and has several downsides (daemon with global machservice and the approval of a launch daemon suggests to the user that something's always running in the background). Also I'd like to stream the output of the executed scripts in real time back to the UI which seems very complicated to implement in this fashion. Is there a better way to enable an app to perform authorized privilege escalation for certain actions? What about privileged helper tools? I couldn't find any documentation about them. I know privilege escalation is not allowed in the App Store, but that's not relevant for us.

I'm extending a C++ library to gather some data from the keychain, I have a prototype code written in Swift that works just fine: import Security; import Foundation; let query: [String: Any] = [ kSecClass as String: kSecClassCertificate, kSecReturnData as String: true, kSecMatchLimit as String: kSecMatchLimitAll ] var items: CFTypeRef?; let status = SecItemCopyMatching(query as CFDictionary, &items); However trying to do the same in C++ crashes: #include <security/SecItem.h> int main() { static const void* keys[] = { kSecClass, kSecMatchLimit, kSecReturnData, }; static const void* values[] = { kSecClassCertificate, kSecMatchLimitOne, kCFBooleanTrue, }; static_assert(sizeof(keys) == sizeof(values), "Key-value lengths mismatch for query dictionary constructor!"); CFDictionaryRef query = CFDictionaryCreate(kCFAllocatorDefault, keys, values, sizeof(keys), nullptr, nullptr); SecItemCopyMatching(query, nullptr); return 0; } With the backtrace of: Thread 1 Queue : com.apple.main-thread (serial) #0 0x0000000191a7f1b8 in objc_retain () #1 0x0000000191ed9e0c in -[__NSDictionaryM __setObject:forKey:] () #2 0x0000000191f3ae28 in __CFDictionaryApplyFunction_block_invoke () #3 0x0000000191effbb0 in CFBasicHashApply () #4 0x0000000191ef2ccc in CFDictionaryApplyFunction () #5 0x0000000194cdafc4 in SecCFDictionaryCOWGetMutable () #6 0x0000000194cdf3e8 in SecItemCopyMatching_ios () #7 0x0000000194e79754 in SecItemCopyMatching () #8 0x0000000100003f68 in main at /Users/kkurek/whatever/whatever/main.cpp:15 #9 0x0000000191acf154 in start () I don't have much experience with MacOS so I'm not sure how to analyze this situation. I have tried running with sanitizers enabled but somehow the crash doesn't occur at all when running with them.

When I tried to launch my application from non-gui process (from launch daemon) NSworkspace openApplicationAtURL failed if I tried to run it when my device on the login screen. Everything is working if someone logged in, but on the login screen I have the error The application “TestApp” could not be launched because a miscellaneous error occurred. with code 256 NSWorkspace* workspace = [NSWorkspace sharedWorkspace]; NSWorkspaceOpenConfiguration* config = [NSWorkspaceOpenConfiguration configuration]; config.createsNewApplicationInstance = YES; config.activates = NO; config.promptsUserIfNeeded = NO; config.addsToRecentItems = NO; [workspace openApplicationAtURL: appURL configuration: config completionHandler:^(NSRunningApplication *app, NSError *error) { }]; Sometimes after the third try it works, sometimes not at all. I try to use "open" command, it works on MacOS Sequoia, but not working for operating systems below, I see this error The application cannot be opened for an unexpected reason, error=Error Domain=RBSRequestErrorDomain Code=5 "Launch failed." UserInfo={NSLocalizedFailureReason=Launch failed., NSUnderlyingError=0x600002998120 {Error Domain=OSLaunchdErrorDomain Code=125 "Domain does not support specified action" UserInfo={NSLocalizedFailureReason=Domain does not support specified action}}} All these problems occur only on the login screen. I'm developing screen share utility, so I need somehow to launch my application on the login screen. Could someone please help me understand what is recommended way to launch application on the login screen?

Since the introduction of the siblings / and /System/Volumes/Data architecture, some very basic, critical commands seems to have a broken behaviour ( cp, rsync, tar, cpio…). As an example, ditto which was introduced more than 10 years ago to integrate correctly all the peculiarity of HFS Apple filesystem as compared to the UFS Unix filesystem is not behaving correctly. For example, from man ditto: --rsrc Preserve resource forks and HFS meta-data. ditto will store this data in Carbon-compatible ._ AppleDouble files on filesystems that do not natively support resource forks. As of Mac OS X 10.4, --rsrc is default behavior. [...] --extattr Preserve extended attributes (requires --rsrc). As of Mac OS X 10.5, --extattr is the default. and nonetheless: # ls -@delO /private/var/db/ConfigurationProfiles/Store drwx------@ 5 root wheel datavault 160 Jan 20 2024 /private/var/db/ConfigurationProfiles/Store                            ********* com.apple.rootless 28 *************************** # mkdir tmp # ditto /private/var/db/ConfigurationProfiles tmp ditto: /Users/alice/Security/Admin/Apple/APFS/tmp/Settings: Operation not permitted ditto: /Users/alice/Security/Admin/Apple/APFS/tmp/Store: Operation not permitted # ls -@delO tmp/Store drwx------ 5 root wheel - 160 Aug 8 13:55 tmp/Store                            * # The extended attribute on copied directory Store is empty, the file flags are missing, not preserved as documented and as usual behaviour of ditto was since a long time ( macOS 10.5 ). cp, rsync, tar, cpio exhibit the same misbehaviour. But I was using ditto to be sure to avoid any incompatibility with the Apple FS propriaitary modifications. As a consequence, all backup scripts and applications are failing more or less silently, and provide corrupted copies of files or directories. ( I was here investigating why one of my security backup shell script was making corrupted backups, and only on macOS ). How to recover the standard behaviour --extattr working on modern macOS?