Greg Ercolano wrote:
>> _RegisterApplication(), FAILED TO establish the default connection to the WindowServer, _CGSDefaultConnection() is NULL.
BTW, citing some specifics, using Apple's own docs as a source:
http://developer.apple.com/technotes/tn2005/tn2083.html#SECPERMISSIONTOCONNECT
Since links at Microsoft and Apple have a way of going stale constantly,
I'm quoting the relevant passage from that text here:
*** Technical Note TN2083 ***
[..]
Permission To Connect
[..]
A process can only use the global window server service if its EUID is 0
(it's running as root) or matches the UID of the console user. All other
users are barred from using it.
For a demonstration of this, you can SSH to your own machine and try to
run Activity Monitor from your shell. Listing 6 shows an example of doing
this from Terminal. The first attempt to run Activity Monitor command works
because it's running as the same user as Terminal. The second attempt fails
because the test user (mrgumby) does not match the console user, and thus
cannot access the global window server service.
Listing 6: Accessing the window server from console and non-console users
---------------------------------------------------------------------------
$ ssh ${USER}@localhost
Password:********
Last login: Wed Jun 20 11:49:23 2007
$ id
uid=502(quinn) gid=20(staff) groups=20(staff),81(_appserveradm), 104(com.apple.sharepoint.group.1),79(_appserverusr),80(admin), 101(com.apple.access_remote_ae),103(com.apple.access_ssh-disabled)
$ ls -l /dev/console
crw------- 1 quinn staff 0, 0 Jun 20 11:50 /dev/console
$ # Launch Activity Monitor and then quit it.
$ /Applications/Utilities/Activity\ Monitor.app/Contents/MacOS/Activity\ Monitor
$ logout
Connection to localhost closed.
$ ssh mrgumby@localhost
[..]
$ id
uid=503(mrgumby) gid=20(staff) groups=20(staff),105(com.apple.sharepoint.group.2), 104(com.apple.sharepoint.group.1)
$ ls -l /dev/console
crw------- 1 quinn quinn 0, 0 Oct 3 21:31 /dev/console
$ # Activity Monitor fails to launch at all.
$ /Applications/Utilities/ctivity\ Monitor.app/Contents/MacOS/Act_RegisterApplication(), FAILED TO establish the default connection to the WindowServer, _CGSDefaultConnection() is NULL.
2007-06-20 11:54:31.798 Activity Monitor[863:10b] An uncaught exception was raised
[...]
This limitation makes it very hard to reliably use the global window service because:
* Standard security practice is that daemons should not run as root;
rather, they should be run by a dedicated user (that is, the wombatd
daemon is run by a dedicated _wombat user).
Also, standard security practice dictates that programs running as root
should try to reduce their attack surface by limiting the list of
frameworks that they use. Thus, in general, programs running as root
should not use high-level frameworks that rely on the window server,
like AppKit and HIToolbox.
So, solving the problem by running as root is a security no-no.
* There is no easy way to solve the problem by running your daemon
as the console user because, with fast user switching, the console
user can change at any time.
--
Greg Ercolano, erco@(email surpressed)
Seriss Corporation
Rush Render Queue, http://seriss.com/rush/
Tel: (Tel# suppressed)
Fax: (Tel# suppressed)
Cel: (Tel# suppressed)
|