I am developing an utility application which logs other apps' file system activities. Therefore I am looking for a way to receive file system change notifications including the file paths as well as the corresponding PIDs.
According to my state of knowledge the only way to do this is to listen at "/dev/fsevents" using root privileges. Is there another option to track those file system changes without running a root privileged process?
Thanks in advance!
regards,
Tobias
No. You need to use /dev/fsevents or dtrace or something, all of which require root privilege.
As you know, the public FSEvents api doesn't give you fine grained info as you want.
But this is as it should be. When you ask "is this possible without root privilege?", you should ask yourself "do you want others to do this without root privilege on my machine?"
Then you know this is clearly wrong if it's possible without root privilege: you shouldn't be able to know, without root privilege, which file is accessed by a privileged process.
Related
I am writing a service/module in Go for a bigger system and I'm having trouble with permissions on macOS. I am hoping anyone here has any experience with this.
This module is using network interfaces in macOS (read+write), and therefore needs admin/root permissions. The module is also in the form of a process which will communicate with parent process through stdio. Since it needs root permissions, I have tried wrapping it in AppleScript: do shell script [...] with administrator privileges, but osascripts does not return the output in real time, instead it returns the stdio output when process has exited. I need the stdio output in real-time, and it is annoying to write the password every time the module is started.
So that leaves me with the question of how I can request permissions for network control in Go. Like the popup you see on some programs "wants to use your microphone", only with network permissions. Is this possible?
If not, how can I solve this issue of needing root permission for a real-time module in macOS?
I found a viable solution; launching the script with sudo -S , and asking the user for root password through my own GUI service. As long as the root password isn't stored anywhere, it should be fine security-wise.
I'm using Active Directory and belong to specified group. (Not an Administrator.)
I have made folder in my 'C:' and then trying to share to another group users.
But I can't. Just i can get the warning message that '~Access denied~. You did not make shared resources.'.
Is there way to take care of this problem?
Thank you~!
Sharing of resources might have been blocked by your Administrator, either get your self added in power users group / asked them to share folder for you.
If you have Administrator Access - login with that and try. other wise less privileged user can not share the resources.
Being fairly new to the Linux environment, and not having local resources to inquire on, I would like to ask what is the preferred method of starting a process at startup as a specific user on a Ubuntu 12.04 system. The reasoning for such a setup is that this machine(s) will be hosting an Input/Output Controller (IOC) in an industrial setting. If the machine fails or restarts, this process must boot automatically..... everytime.
My internet searches have provided two such area's to perform this task:
/etc/rc.local
/etc/init.d/
I ask for the specific advantages and disadvantages of each approach. I'll add that some of these machines are clients and some are servers, but all need to run an IOC, and preferably in the same manner.
Within what ever method above is deemed to be the most appropriate, a bash shell script must be run as my specified user. It is my understanding all start up process are owned by root. So I question if this is the best practice:
sudo -u <user> start_ioc.sh
If this is the case, then I believe it is required to create a file under:
/etc/sudoers.d/
Using:
sudo visudo -f <filename>
Where within this file you assign the appropriate rights and paths to the user. Most of my searches has shown this as the proper format:
<user or group> <host or IP>=(<user or group to run as>)NOPASSWD:<list of comma separated applications>
root ALL=(user)NOPASSWD:/usr/bin/start_ioc.sh
So for final additional information, the ultimate reason for this approach, which may also be flawed logic, is that the IOC process needs to have access to a network attached server (NAS). Allowing root access to the NAS is I believe a no-no, where the user can have the appropriate permissions assigned.
This may not be the best answer, but it is how I decided to complete this task:
Exactly as this post here:
how to run script as another user without password
I did use rc.local to initiate the process at startup. It seems to be working quite well.
I'm using Apache 2 to run my localhost on Mac (Mavericks), and every time I add a file or a folder in the default directory /Library/WebServer/Documents (and its subdirectories) the system asks me to authenticate:
This is a problem specially when using frameworks like Symfony or Zend Framework because they can't have writing access to folders. What can I do to solve this?
Mac/Linux grants access on different levels:
Per user
Per group
Per everybody
The folder Library/WebServer/Documents outside of the logged-in user paradigm (you) therefore write access (and other access like execute) is only granted to the administrator of the computer (or so-called root) which isn't you however on most Mac environment the password of root is your password (different users with the same password).
You will want to modify Apache2 configuration and change the directory to a folder located within your user's directory which is something like /Users/{whatever is your username} (you will probably need to create the folder).
Once, you moved the content of /Library/WebServer/Documents into the new folder, make sure the permission are set properly. Refer to the following documentation at the chapter "How to Modify Permissions with the Info Window".
The reason why your Mac is asking for permissions to write files outside of your user's directory is for security reasons. Imagine if you download a file, execute it and grant access (by giving the root password) then the file could potentially be a virus and erase or do all kind of things on your computer.
Is there a simple, quick, non-invasive windows admin task that can be performed from a java process to validate if the current process is running as administrator?
I know we could run batch commands to check if current user is member of administrator group. But there are complications of portability across Vista etc.
A simple example would be:
echo. 2> %SYSTEMROOT%\EmptyFile.txt
However, this is invasive. We dont want to create files
Any other option?
In general, you may find it a better choice to check for a specific permission rather than implying permissions from role assignments. One reason for this is that in a domain environment you may have local administrators and domain administrators. They are not necessarily equivalent. Also, even an administrator's permissions can be altered or specific file/directory permissions be "tweaked" to, for example, deny access to "localmachine\administrators".
Checking for a specific permission guarantees that, given specific user credentials, that user can or cannot perform some action, regardless of what roles they might be assigned to.
I know that doesn't answer your question, but it may help shed some light on the problem of assuming permissions from roles.