QRecallDownloadIdentity KeysForumsSupport
  [Search] Search   [Recent Topics] Recent Topics   [Hottest Topics] Hottest Topics   [Groups] Back to home page 
Pre-authorized administrative privileges don't seem to stick  XML
Forum Index » Problems and Bugs
Author Message
AZ 2011



Joined: 10-Dec-10 14:54
Messages: 6
Offline

Every time my backup runs, I receive the top-level error message "Administrative priviledges have not been pre-authorized", and the companion error message "Unable to obtain extended attributes". I have gone to Preferences -> Authorization, clicked "Preauthorize..." and entered my administrator username & password. The dialog closes with no indication of success or failure, but the log message suggests to me that it isn't working. Advice?
James Bucanek



Joined: 14-Feb-07 10:05
Messages: 1473
Offline

AZ 2011 wrote: I have gone to Preferences -> Authorization, clicked "Preauthorize..." and entered my administrator username & password. The dialog closes with no indication of success or failure, but the log message suggests to me that it isn't working.

That's definitely the correct way to do it, so something is clearly wrong. First, send a diagnostic report (Help > Send Report...) and I'll look for clues.

Try uninstalling and reinstalling QRecall. In the QRecall application, hold down the Command+Option keys and choose QRecall > Uninstall and Quit. Start QRecall again, go the preferences, and Preauthorize again. See if that improves the situation.

Is the account you have QRecall installed in an admin account? There are new security restrictions in OS X that make pre-authorizing QRecall for use in a non-administrative account problematic. If you need to run QRecall with admin privileges, my recommendation is to install and configure QRecall from within an administrator's account.

- QRecall Development -
[Email]
AZ 2011



Joined: 10-Dec-10 14:54
Messages: 6
Offline

When I press command+option and select the QRecall menu, there is no "uninstall and quit" item... just "quit". I've tried each key on its own, and I've tossed in the shift and control keys. No change to the menu. Is there another way to perform the "uninstall and quit" action?

I am running qrecall from an administrator account, and giving the same username and password as the currently-logged-in user.

Help report has been sent, you should have it now.
AZ 2011



Joined: 10-Dec-10 14:54
Messages: 6
Offline

Found the key combination: shift + command + option. Trying the reinstall now.
AZ 2011



Joined: 10-Dec-10 14:54
Messages: 6
Offline

Uninstall, reinstall, test... same error in the log. Thanks for any advice or suggestions.

James Bucanek



Joined: 14-Feb-07 10:05
Messages: 1473
Offline

AZ 2011 wrote:Found the key combination: shift + command + option.

Ooops, my bad.

Help report has been sent, you should have it now.

It didn't arrive, so something is really wrong.

Uninstall, reinstall, test... same error in the log.

Try to sending me your log file manually. In your <home folder>/Library/Logs/QRecall folder, find the QRecall.log file. Select it in the finder and compress it (File > Compress "QRecall.log"). Send the compressed file to james@qrecall.com.

- QRecall Development -
[Email]
James Bucanek



Joined: 14-Feb-07 10:05
Messages: 1473
Offline

I received your log file, and something is definitely off. When you authorize QRecall, the QRecallHelper process temporarily gets the correct administrative privileges, runs, and installs the pre-authorized copy of itself. However, the next time the system runs it, the helper doesn't have administrative (root) privileges. So it either reports an error or tries again.

Is your ~/Library folder on a different volume than the one you boot from?

Also, I'd be very interested to see the results of issuing the following two commands in the Terminal:


- QRecall Development -
[Email]
AZ 2011



Joined: 10-Dec-10 14:54
Messages: 6
Offline

My user directory is on the boot volume, in the typical place (/Users/user/), and Library is inside that folder. It is not a symbolic link or anything unusual.

The permissions output you requested is --

$ ls -ld ~/Library/Application\ Support/
drwx------+ 39 user group 1326 Dec 7 14:07 /Users/user/Library/Application Support/
$ ls -l ~/Library/Application\ Support/QRecall/
total 2960
-rwxr-xr-x 1 user group 1513536 Dec 11 2009 QRecallBundledHelper
drwxr-xr-x 3 user group 102 Dec 11 2009 QRecallMonitor.app

-- Does something need to be setuid or have some other special flag in order to use administrator permissions?
James Bucanek



Joined: 14-Feb-07 10:05
Messages: 1473
Offline

AZ 2011 wrote:Does something need to be setuid or have some other special flag in order to use administrator permissions?

Yes. Immediately after preauthorizing QRecall to run with administrative privileges, a SUID QRecallHelper should be installed in your Application Support folder, like this:



I reviewed the code and your log file, and I found two really strange anomalies.

First, even though your QRecall application is install in /Applications, QRecall thinks that /Applications and /Users/you/Library/Application Support are on different volumes. Is there any chance that this is true?

The serious problem appears to be that your system is not allowing QRecallHelper to run SUID as root. The log shows that the QRecallHelper is copied to the Application Support folder and set to SUID. It then immediately runs the newly installed tool to check it out. It doesn't run as root, so the tool is immediately deleted.

That's why I asked you if your Application Support folder was on a different volume. Mac OS X, as a security measure, now ignores the SUID attribute of executables on external volumes.

- QRecall Development -
[Email]
AZ 2011



Joined: 10-Dec-10 14:54
Messages: 6
Offline

I hadn't thought about the different volumes thing until your message just now... I am filevaulted. That means my home directory is in an encrypted disk image that gets mounted at login-time. So: Yes, my Library directory is on a "different volume" than my boot volume. It is automatically linked to /Users so I don't notice that distinction. My earlier remarks were incorrect.

I can manually change the SUID bit, but it sounds like that won't help. What is the "correct" way to solve this problem? I could create a "Qrecall Helper" directory on my boot volume and then make symlink to it from my Library directory.

Thanks for all your help and quick responses!
James Bucanek



Joined: 14-Feb-07 10:05
Messages: 1473
Offline

AZ 2011 wrote:I am filevaulted.

Ah, that's the problem.

QRecall and FileVault don't play well together. It seems as though every security measure Apple adds to OS X in general, and FileVault in particular, breaks something in QRecall. Don't get me wrong; I'm actually big fan of OS X's security model, it just sometimes makes life hard for us legitimate developers.

My best suggestion is to uninstall QRecall in your current account, create a second admin account (if you don't have one already), and install QRecall there. Set it up so that actions run when logged out, then schedule the capture actions to run when you'll be logged into your FileVault account.

I had QRecall working with FileVault for awhile, but recent changes have broken that again. I have a to-do item to revisit FileVault compatibility, but I've put it off until I've added encryption to QRecall archives—users that are encrypting their home folder generally don't want an unencrypted copy setting on an external drive. As a workaround, I do have a few users who store their archives on encrypted disk images or hardware encrypted hard drives.

- QRecall Development -
[Email]
 
Forum Index » Problems and Bugs
Go to:   
Powered by JForum 2.1.8 © JForum Team