I'm a noob to objective c and I have a daemon code that runs as root (system-wide application) and communicates with a server. Every once in a while, the server will command that root app to fire up an additional application that runs within the logged on user context (without interrupting the user - silently).
I have the user context application written as well. What I'm lacking is the understanding on how my root daemon can launch the user context application.
How can my daemon fire it up on demand?
Should I use an agent?
Does it mean the agent will be run at startup?
I've read https://developer.apple.com/library/mac/#technotes/tn2005/tn2083.html as well as http://developer.apple.com/library/mac/#documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html but feel I am missing something out.
BTW - the solution should work on 10.6, 10.7, 10.8 ...
Thank you all in advance :o)
This will work if you know current logged in user.
sudo chown -R current_loggedin_user myApp
sudo chmod u+s /Contents/MacOS/myApp
system([#"open myApp" UTF8String]); //inside root process
If the s group of permissions has the user bit set (corresponding to u+s), then whenever anyone executes that program, the process takes on the privileges of whoever owns it. So current_loggedin_user is owner of myApp, open will run myApp in current_loggedin_user mode.
s The set-user-ID-on-execution and set-group-ID-on-execution bits.
u The user permission bits in the original mode of the file.
But it will throw following error if user is not logged-in.
com.apple.launchd[1]: System: Bug: launchd_core_logic.c:8760 (24498):0
com.apple.launchd[1]: System: job_mig_spawn() can't find its session!
open[24459]: spawn_via_launchd() failed, errno=5 label=[0x0-0x274274].
rootProcess[23127]: LSOpenURLsWithRole() failed with error -10810 for the file /Applications/myApp.app/.
Related
My GCP VM instance was setup sometime back and all the services were working fine. However, suddenly from today I am not able to login via SSH and even an instance restart did not fix the issue. When checked the serial log, it seems to have stopped in this line,
[ 8.686861] intel_powerclamp: No package C-state
availableintel_powerclamp: No package C-state available[ 8.705723]
attempt to access beyond end of device [ 8.706721] sda1: rw=0,
want=41927608, limit=41927602 [[32m OK [0m] Started Security
Auditing Service.
Starting Update UTMP about System Boot/Shutdown...
32m OK [0m] Started Update UTMP about System Boot/Shutdown.
Starting Update UTMP about System Runlevel Changes...
32m OK [0m] Started Update UTMP about System Runlevel
ChanWelcome to emergency mode! AfterGive root password for maintenance
(or type Control-D to continue):
It won't proceed further to start SSH and other services, hence I am not able to login to the instance. Any help would be greatly appreciated.
Thanks in advance.
The error
No package C-state available
points to problems to mount the filesystem.
Did you try to follow the steps written in this other post ?
When you see Ctrl+D enter root password. Then enter mount -a to see in what line is the error.
Enter vi /etc/fstab and correct whatever is missing, save and reboot.
What you can do is logon to the serial console so you can interact with it. It will probably ask you for a root password and if you have not set that up, you can set that up through startup scripts.
I just purchased new raspberry pi and tried to install raspbian using Noobs.
So the installation goes successfully and I boot into raspbian GUI successfully and make changes to raspi-config like to ask for the password when booting into GUI and enable various option like SSH,SCI and more. Then it reboots and gives me following error:
Raspberry pi Fatal server error: could not create lock file in /inp/.1xd-lock Please consult the X.org Foundation support at http://wiki.x.org for help
init: giving up
init: unable to connect to X server: Connection not sucessfull
init: server error nuth: error in locking authority file /home/pi/.xauthority
I have done this process so many time it is giving me same error every time. Any suggestion.......
Check your .xauthority file to make sure it's owned by the user you're logging in as rather than root. If it's owned by root, you can either change the ownership, or simply delete it and it will be recreated next time you attempt a login.
This has happened to me before!
It is likely your .xauthority file is corrupted, or root owns that file which means it won't let you boot into the GUI. Try this code and it seemed to work for me...
sudo chown -R pi:pi /home/pi
Basically what this is doing is it is reverting all the files' permission settings back to you, so the .Xauthority file for your account will be yours again.
BUT...
If the actual file itself is corrupt, then do this:
xauth -b
.Xauthority is not needed on startup, so it is safe to just delete it off your SD card, since a new version will be generated when you boot into the GUI.
When I execute the command "iisreset" through an ssh terminal on a remote windows machine, I get the following error:
Attempting stop...
Restart attempt failed.
Access denied, you must be an administrator of the remote computer to use this
command. Either have your account added to the administrator local group of
the remote computer or to the domain administrator global group.
When I type whoami, it shows that I am the administrator. My cygwin ssh session is running as the "cyg_server" user who has admin privileges.
My ssh server is configured with privilege separation and allows me to login as administrator.
When I run the command locally, it works fine. The problem is execution through ssh.
I've also used process monitor to see what's going on, but it does not indicate the problem.
That is pretty strange because I am able to do admin-only operations in remote ssh such as:
echo "hi">/cygdrive/c/x.txt
rm /cygdrive/c/x.txt
Turning off UAC did not make a difference.
Any ideas?
I had a similar problem: unable to start/stop services using net start/net stop from a remote password-less (public/private key) SSH user. Attempting to start/stop the service was resulting in a "System Error 5 has occurred. Access is denied." error).
I had to install Cygwin's LSA authentication package (see http://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid-overview) in order for (I presume) setuid to work properly for password-less logins.
The problem should go away once LSA is installed on the Cygwin/SSH host and the machine has been rebooted.
I got scared of the LSA package mentioned in #user3609241's answer because of this sentence in the LSA docs:
as soon as the LSA encounters serious problems (for instance, one of
the protected LSA processes died), it triggers a system reboot.
But, those same docs point to a very easy way to "runas" SYSTEM - just use the at command:
$ date
Mon, Jan 12, 2015 8:17:35 PM
$ at 20:18 iisreset
Added a new job with job ID = 1
$ at
Status ID Day Time Command Line
-------------------------------------------------------------------------------
1 Today 8:18 PM iisreset
It works, at the cost of having to wait up to 59 seconds.
(wrapping the above sequence of commands in a simple-to-call script is left as an exercise to the reader; our management util is written in Perl so it was pretty straightforward).
Run the Cygwin terminal as administrator
I have created a small application that auto elevates as administrator using the command:
requestedExecutionLevel level="highestAvailable" uiAccess="false"
This works fine if I run the application locally on the computer. However, if the computer tries to run my execuatable across the netork, it simply crashes on startup with a message "Do you want to send more information about the problem?" error. If I right click and run as administrator, my application will work and will prompt for admin credentials.
The folder I am running my application from (across the network) has full read/write permissions for 'everyone'.
My question is: Is there something I've missed? Why can I run my application locally and not get prompted but across the network crashes or requires admin?
Can anyone help explain what might be causing this issue?
UPDATE
I have checked my event viewer log and it shows the following:
Application: AutoUpdater.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.Net.Sockets.SocketException
Stack:
at System.Net.Sockets.Socket..ctor(System.Net.Sockets.AddressFamily, System.Net.Sockets.SocketType, System.Net.Sockets.ProtocolType)
at System.Net.Sockets.TcpListener..ctor(System.Net.IPAddress, Int32)
at System.Runtime.Remoting.Channels.Tcp.TcpServerChannel.SetupChannel()
at System.Runtime.Remoting.Channels.Tcp.TcpServerChannel..ctor(System.Collections.IDictionary, System.Runtime.Remoting.Channels.IServerChannelSinkProvider, System.Runtime.Remoting.Channels.IAuthorizeRemotingConnection)
at Microsoft.VisualBasic.ApplicationServices.WindowsFormsApplicationBase.RegisterChannel(ChannelType, Boolean)
at Microsoft.VisualBasic.ApplicationServices.WindowsFormsApplicationBase.Run(System.String[])
at AutoUpdater.My.MyApplication.Main(System.String[])
I don't understand why it is making reference to System.Net.Sockets?? But that is what seems to be crashing my app.
Make sure that the other computers attempting to run your application have the correct .Net framework versions installed. If users are able to open the executable, there shouldn't be any other issues with permission.
If you have verified the framework versions, see if there is anything in the error report that might point to a reason for the crash. A lot of times there may be something in there that can point you in the right direction.
.NET applications don't like to run from the intranet by default.
Try this:
Go to Control Panel -> Administrative Tools -> Microsoft .NET Framework 2.0 Configuration
Click Configure Code Access Security Policy link
Click Adjust Zone Security
Set the My Computer and Local Intranet to Full Trust
If this works, then it is a local security issue. If you need it scripted out, you can use the caspol exe that is in the framework. Sample
C:
cd %windir%\Microsoft.NET\Framework\v2.0.50727
CasPol.exe -pp off -m -ag 1. -URL Z:\folder\EXEName.exe FullTrust -n FriendlyNameOfEXE
How can I stop and then restart an IIS 7 application pool from an MSBuild script running inside TeamCity. I want to deploy our nightly builds to an IIS server for out testers to view.
I have tried using appcmd like so:
appcmd stop apppool /apppool.name:MYAPP-POOL
... but I have run into elevation issues in Windows 2008 that so far have stopped me from being able to run that command from my TeamCity build process because Windows 2008 requires elevation in order to run appcmd.
If I do not stop the application pool before I copy my files to the web server my MSBuild script is unable to copy the files to the server.
Has anybody else seen and solved this issue when deploying web sites to IIS from TeamCity?
This article describes using an htm file named App_offline.htm to take a site offline. Once the IIS detectes this file in the root of a web application directory,
ASP.NET 2.0 will shut-down the application, unload the application
domain from the server, and stop processing any new incoming requests
for that application.
In App_offline-htm, you can put a user-friendly message indicating that the site is currently under maintainance.
Jason Lee shows the MSDeploy calls you need to use (plus much more about integrating these steps in your build scripts!).
MSDeploy
-verb:sync
-source:contentPath="[absolute_path]App_offline-Template.htm"
-dest:contentPath="name_of_site/App_offline.htm",computerName="copmuter_name",
username=user_with_administrative priviliges,password=passwort
After deployment you can remove the App_offline.htm file using the following call:
MSDeploy
-verb:delete
-dest:contentPath="name_of_site/App_offline.htm",computerName="computer_name",
username=user_with_administrative_priviliges,password=passwort
The msbuild community tasks includes an AppPoolController that appears to do what you want (though as noted it is dated and at present only supports IIS6.) An example:
<AppPoolController ApplicationPoolName="MyAppPool" Action="Restart" />
Note that you can also provide a username and password if necessary.
Edit: Just noticed that the MSBuild Extension Pack has an Iis7AppPool task that is probably more appropriate.
this is the fairly hackey workaround I ended up using:
1) Set up a limited-access account for your service to run as. Since I'm running a CruiseControl.NET service, I'll call my user 'ccnet'. He does NOT have admin rights.
2) Make a new local user account, and assign to the Administrators group (I'll call him 'iis_helper' for this example). Give him some password, and set it to never expire.
3) Change iis_helper's access permissions to NOT allow local login or remote desktop login, and anything else you might want to do to lock down this account.
4) Log in (either locally or through remote desktop) as your non-admin user, 'ccnet' in this example.
5) Open a command terminal, and use the 'runas' command to execute whatever it is that needs to be run escalated. Use the /savecred option. Specify your new administrative user.
runas /savecred /user:MYMACHINE\iis_helper "C:\Windows\System32\inetsrv\appcmd.exe"
The first time it will prompt you for 'iis_helper's password. After that, it will be stored thanks to the /savecred option (this is why we're running it once from a real command prompt, so we can enter the password once).
6) Assuming that command executed OK, you can now log out. I then logged back in as a local admin and turned off the 'ccnet' user for local interactive login, and remote desktop. The account is only used to run a service, but no real logins. This isnt a mandatory step.
7) Set up your service to run as your user account ('ccnet').
8) Configure whatever service is running (CruiseControl.NET in my case) to execute the 'runas' command instead of 'appcmd.exe' directly, the same as before:
replace:
"C:\Windows\System32\inetsrv\appcmd.exe" start site "My Super Site"
with:
runas /savecred /user:MYMACHINE\iis_helper "\"C:\Windows\System32\inetsrv\appcmd.exe\" start site \"My Super Site\""
The thing to note there is that the command should be in one set of quotes, with all the inner quotes escaped (slash-quote).
9) Test, call it a day, hit the local pub.
Edit: I apparently did #9 in the wrong order and had a few too many before testing...
This method also doesn't completely work. It does attempt to run as the administrative account, however it still runs as a non-escalated process under the administrative user, so still no admin permissions. I didn't initially catch the failure because the 'runas' command spawns a separate cmd window then closes right away, so I wasn't seeing the failure output.
Its starting to seem like the only real possibility might be writing a windows service that will run as admin, and its only purpose is to run appcmd.exe, then somehow call that service to start/stop IIS.
Isn't it great how UAC is there to secure things, but in actuality just unsecures more servers, because anything you want to do you have to do as admin, so its easier to just always run everything as admin and forget it?
You can try changing the Build Agent Service settings to log-on as a normal user account instead of SYSTEM (the default), this can be done from the services control panel (Start | Run | services.msc).
If it doesn't help, you can also try configuring the appcmd to always run elevated, refer to this document for details.
In case such option is not available for appcmd or it still doesn't work, you can disable UAC completely for this user.
Here you go. You can use this from CC.NET with NAnt or just with NAnt:
http://nantcontrib.sourceforge.net/release/latest/help/tasks/iisapppool.html