How can Charles Proxy change settings without admin rights after first time?
Charles Proxy has a feature that it can automatically configure your system proxy settings when it starts.
Every programmatic way I've found of changing these settings (e.g. networksetup) requires raised privileges to use, however this app somehow manages to do this with standard user permissions. The only time it requires raised privileges is on the very first time it runs.
Where can its permissions be managed for making changes in future for e.g., making it ask for privileges again?
Solution 1:
Privileged Helper
If Charles Proxy is following Apple's recommendations, the permissions gained during the initial set-up will be encoded as a Privileged Helper.
On macOS the folder /Library/PrivilegedHelperTools
contains tools that have previously authenticated and authorised with the user.
The folder /Library/LaunchDaemons
contains the launchd
files that launch and determine access to the tools.
There are other approaches, such as:
Running with Elevated Privileges
If you do need to run code with elevated privileges, there are several approaches you can take:
- You can run a daemon with elevated privileges that you call on when you need to perform a privileged task. The preferred method of launching a daemon is to use the launchd daemon (see launchd). It is easier to use launchd to launch a daemon and easier to communicate with a daemon than it is to fork your own privileged process.
- You can use the authopen command to read, create, or update a file (see authopen).
- You can use a BSD system call to change privilege level (see Calls to Change Privilege Level). These commands have confusing semantics. You must be careful to use them correctly, and it’s very important to check the return values of these calls to make sure they succeeded.
Solution 2:
After more research, I found this Common Vulnerabilities and Exposures (CVE) description CVE-2017-15358 Local root privesc in Charles Proxy 4.2:
Setting a system-wide proxy requires root permissions so this is handled by an suid binary located within the Charles application folder:
/Applications/Charles.app/Contents/Resources/Charles Proxy Settings
It says that in its first-time setup, Charles Proxy creates a setuid binary that is used on subsequent runs to change the proxy settings.
The link in Graham's answer points this method out as a legacy way of accomplishing this behaviour and is no longer recommended.