I am developing an OSX application for school where multiple users of the same mac will able to launch the program based on shared configuration (i.e. database connection info).
By design, the normal user without administrative privilege should not be allowed to modify the configuration.
Based on unix convention, I am storing the configuration file under /usr/shared/, but this caused another problem:
- Even when logged in as administrator, application will not able to write to the location above. Users will have to launch the application with elevated privilege (using sudo) if they need to make changes to the configuration file.
My question is, whether using "sudo" to write to restricted area is a common practice in mac osx ?
I would say that using "sudo" on a Mac is only common practice for certain types of users, such as network administrators and users who like to do more than just use standard applications.
I certainly would not expect students and teachers to be using the terminal and sudo.
When developing OSX apps, Apple provides the Authorization Services, from the security framework, for the app to be able to separate privileged features from standard ones and prompt users for their credentials when required.
You will have seen this in the System Preferences panes, where you see the padlock icon. Any application can call upon these services, though I'm not sure if it's possible with Java. This is Apple's recommended method of handling a problem such as this, in addition to factoring out privileged tasks to a separate application with a function they term 'SMJobBless'.
Interestingly, the domain of your question maps directly onto Apple's described scenario of using this system for "Simple, Self-Restricted Applications".
With that being said, if only yourself or other network administrators are going to be modifying the config file, then I'd recommend leaving out any features in the app for modifying it and doing it directly with sudo and a text editor such as vi, when required.
Definitely, unless you chmod its privilege with sudo(root)
Related
i am currently writing a game on javaFX and i have plans to post it in the website i run in the future (end exploit the Ads while at it). The problem is that after searching around a little it seems there is no way to run a java application on a browser.
Allowing people to run it through the browser would really help sharing the program.
My question is: is there today(2018) any way to run a java application through the web? Though i like java, no browser support seems like a really, really bad idea.
Oh, i also heard of Java Web Start. Although it looks like it is just avoiding the problem (not running in the browser) it seems like a good way to share an application. The problem is that it seems it is (Will be?) deprecated? I am helpless, it is like java isn't even trying anymore...
PS: If it makes any difference my game would be a 2D game with 3rd person view. It will also require some server stuff since players will create "arenas" that others can challenge. I would say my game wouldn't be "simple".
Java Web Start does the job very well—if you are willing to pay for a code signing certificate. (They’re a lot more expensive than regular SSL certificates.) The idea is that a user clicks on a hyperlink on your page, which causes the user’s Java installation to launch your application (possibly after installing it). This requires users to have Java installed beforehand.
If you don’t have the resources or desire to go with a code signing certificate, you can look at https://docs.oracle.com/javase/9/deploy/self-contained-application-packaging.htm. It allows you to create native installation packages for JavaFX applications. The disadvantage: You need each platform to create an installer for it. Meaning, you need Windows to create a Windows installer, OS X to create an OS X installation image, and Linux to create a Linux package. Some may also require signing using native tools.
Java 9 includes the jmod and jlink tools, which are capable of creating a file tree with an executable shell script or .bat file. A major advantage is that you can build such a tree for any platform, regardless of your own platform, if you unpackage the foreign platform’s JDK on your machine. Another advantage is that the user doesn’t need to have Java installed at all. A disadvantage is that the script requires a terminal, unless running on Linux.
Of course, you can just go the manual route and distribute a zip file which contains your .jar file(s), a shell script you’ve written, and a .bat file you’ve written. It’s not elegant, but it’s better than nothing. But it may trip up some non-technical users.
There exist a number of tools which create a native executable from .jar files, but I am not familiar with them (and I prefer to avoid third party tools unless they are truly necessary).
Whatever approach you choose, the answer is the same: You distribute something on your web page which the user downloads and runs. Aside from the download process, the browser is not involved.
What you can’t do is have users run your application inside the browser. That is deprecated, with good reason: It’s a disaster for the browser performance, for the Java runtime, for security, and for the user experience. And Firefox has all but banned plugins, so you’d be locking out a substantial percentage of users.
So, how much trust do I need to have in a publisher before I run their applet in the web browser?
In other words, I understand that a java applet is run in a sandbox in the browser, but this article suggests that the applet can actually access files stored on the local computer.
Can you please clarify the security limits of a java applet run in a modern browser, such as Firefox 50?
I understand that a java applet is run in a sandbox in the browser, but this article suggests that the applet can actually access files stored on the local computer.
There are potentially three different levels of security available to a Java applet.
The first is as you described 'sandboxed'. They can only access resources from their own server, nothing on your local file system unless they are launched using Java Web Start & will thereby have access to the services of the JNLP API. You might note that two of the services are the FileOpenService / FileSaveService! If the applet goes to use these, the end user will be prompted to permit the action via a dialog that states what the applet is trying to do, and asking for permission to proceed (to show a file chooser & go from there). These services provide back a 'file like' object that is more limited than the normal File API would supply. For example, it will not provide the path to the resource, just it's name and access to the content.
The level up from that can be specified in the launch file - '(J2EE) application client permissions'. This level removes the prompts for use of the JNLP API services.
The highest level of access is obtained by requesting, and being granted, 'all permissions'. Then the applet should have full access to File objects, be able to communicate with servers other than the one that launched it, etc. One of the few things they would still not be permitted to do in this mode is to call System.exit(n) to effectively 'kill the JRE' - this is something that is commonly done in other desktop apps.
But then there are JRE bugs, that screw all that up. Sun, then Oracle, kept stuffing up security so poorly (& regularly) that many browser manufacturers are entirely removing the support for applets (and other embedded objects requiring plug-ins) in web pages.
See Java Plugin support deprecated and Moving to a Plugin-Free Web for more detail.
..how much trust do I need to have in a publisher before I run their applet in the web browser?
I cannot answer for you, but my take would be that I would need to know them personally, and trust completely both their integrity and competence before I'd run their code in any browser I controlled.
Having said that, I don't think I have a single browser installed that even supports applets, and my complete lack of motivation to set something up, is probably a good view on whether I'd allow applets to run on this PC at all.
I have a java application and two different wireless network connections (wifi) on my desktop.
This is a desktop application, not android.
One method of this applicaiton works well with wifi1, second method works well with wifi2.
So far in order to use different methods I have to change wifi settings on my desktop manually.
Is there any way I could change wifi connection setting from the application programmatically ?
Java is a High-Level, Platform-Independent programming language. Network settings, and how you control them will depend on your Operating System, and to my knowledge there is no simple way to expose this in Java.
'
Luckily, some platform-dependent code mixed with Java can help you achieve the result you're after.
The Java
See the Runtime.exec() method, which allows you access to the Windows Command Line or the Mac/Linux Terminal.
The Windows (Adjust for other OS'es)
Now that we have access to the Command Line, we have to run the proper, platform-specific command. See this tutorial for Windows.
Note that it is not a good idea to modify a user's network settings (or anything else external to your application) without their consent.
How to call the authentication window, to grant access for root for a while for current application, from a class.
for example, I'm writing some app to work with partitions, so it need's root privileges to execute some things.
Probably you can't do that with Java. The best way to do is, maybe you can detect that program is not run as sudo so you can ask users to shutdown the program and relaunch as super user. (for this solution, I'd prefer choosing a file or directory from system files and check whether it is writable or not. e.g. new File("/usr/bin/ls").isWritable())
Other ways might be launching Desktop Environment-specific authentication windows. e.g. There is Java-gnome but as you might expect, not all users supposed to use GNOME. So there is not really a universal solution and all comes with tons of dependencies. Java is not designed for this.
The best thing is to check super user privileges with a trick on startup. Maybe you can elaborate your problem and we can come up with a solution that does not require root access.
I want to read the web address of all open windows. As soon as the window closes, I should know it too.
One way to do this is by asking the user to download a firefox plugin. This plugin should monitor the user web address.
But is this possible? How to go about executing it. I am pretty decent in Java and PHP.
EDIT:
What if the user wants to give permission to access all the websites he or she visits?
I want to display in a visual manner the statistics of the sites being visited by users who grant permission.
As noted, this cannot be done with standard JavaScript/DOM methods that run inside a page, for security and privacy reasons.
You could definitely do it with a Firefox add on, plugin or extension.
I suggest reading the Firefox addons developer guide and the Developer Hub in general. The language used to develop for Firefox is JavaScript.
nsIWindowMediator can be used to enumerate open windows, and properties can be obtained through the nsIDOMWindow objects. As explained here,
"While you can use JavaScript to get child windows opened from the parent window, you cannot get dialogs or windows that have no relation to that window. To overcome this limitation, nsIWindowMediator makes it possible to access all of Firefox's windows."
this likely violates the same origin policy, which rules this out
it basically controls the code so that it does not read anything it did not create
so no spying can be done
No, this would be a major security and privacy issue.
This is definitely a security violation similar to sniffing; and would require certain privileges to run on each platform (such as an activeX or plugin or a privileged applet).
However, this can be done using javascript only the page containing the script it self is responsible for opening windows (meaning not all windows such as window opened by user) - if that is what you are looking for, let me know.