Create a Sandbox for apps using folder actions

May 27, '04 09:24:00AM

Contributed by: anjoschu

Although there already exists a hint dealing with how to run an application as another user, I'd like to share a different approach. Create a folder, call it Sandbox or something, and attach this folder action script:

property theUser : "testuser" -- change this
property theGroup : "testuser" -- usually same as user (on Panther)

on adding folder items to thisFolder after receiving theseItems
  repeat with oneItem in theseItems
    set thePath to quoted form of POSIX path of oneItem
    set chUserBit to "sudo find " & thePath & ¬
     " -perm -u+x -exec chmod u+s {} \\; ; "
    set chGrpBit to "sudo find " & thePath & ¬
     " -perm -g+x -exec chmod g+s {} \\; ; "
    set chOwner to "sudo chown -R " & theUser & ":" & ¬
     theGroup & " " & thePath
    try
      do shell script chUserBit & chGrpBit & chOwner ¬
       with administrator privileges
    on error m
      display dialog m
    end try
  end repeat
end adding folder items to
This Applescript needs to be copied to ~/Library -> Scripts -> Folder Action Scripts or /Library -> Scripts -> Folder Action Scripts in order to be recognized.

What it does: For each application that you put in the Sandbox folder, this script modifies its settings so that it runs as the testuser when launched. In contrast to the setuid approach, you only need to enter your admin password once when adding the app to the folder, and not on every app launch. And having a Sandbox folder to me just seems more intuitive.

How it works: When the setUID and setGID bits are set on an application, the app will always run as its owner, no matter who launched it. By setting both setUID and setGID and changing the owner and group to our unprivileged testuser, we achieve that the app runs as said testuser.

Notes: [robg adds: I haven't tested this one...]

Comments (10)


Mac OS X Hints
http://hints.macworld.com/article.php?story=20040526102927874