Understanding Priviledged Helper Tools in OSX

Question

I need at some point in my application an elevated operation. For this I found apples SMJobBless mechanism. I have written a simple helper tool and install it via SMJobBless. So far this works. But what I do not understand right now: How do I start that Helper tool after installing it?

Answer 1

By reading pretty much everything I found documented for this, I now use an XPC Conenction to activate the helper tool, which then gets started on demand by launchd after installing it using SMBlessJob. To do this, you need to create a MachService via the plist of your helper tool:

<key>MachServices</key>
<dict>
    <key>com.my.program.Helper</key>
    <true/>
</dict>

(This needs to be done in the launchd.plist of your helper, not the info.plist).

In your helper tool, you then have to create the Mach Service:

@property (atomic, strong, readwrite) NSXPCListener *listener;

        self->_listener = [[NSXPCListener alloc] initWithMachServiceName:@"com.my.program.Helper"];
        self->_listener.delegate = self;

After that, you can connect using XPC. If you need more informations on this, see this example from Apple: https://developer.apple.com/library/content/samplecode/EvenBetterAuthorizationSample/Listings/Read_Me_About_EvenBetterAuthorizationSample_txt.html

Answer 2

Unfortunately Apple has pretty much abandoned the sample Nidhoegger referenced and have never put out a new one in Swift. For anyone looking for how to best approach this in Swift, I put together SwiftAuthorizationSample which hopefully shows how to do this pretty simply. Since I also initially found this pretty confusing and concluded it's way more complicated than it ought to be, I made the SecureXPC framework which makes creating the server for this scenario just XPCMachServer.forBlessedHelperTool() - it automatically configures itself based on the property lists you already had to create for SMJobBless.