Here we have two different kind of handlers 'download' and 'exec'. TODO: we have to decide what the client application should do. It would be possible to call an external program like 'curl' or 'wget' or the call libcurl to download a file. I would vote for using 'curl' or 'libcurl' because it seem that curl supports more methods than wget. Download should be done by user nobody into a teporary file and then moved and chowned to the destination. TODO: we have to decide how the client application should call the applied program or script. If no 'user' is specifed the default user should be 'nobody'. # IPA generated script for ipaaction policy. DO NOT EDIT # unknown output_selector su - nobody 'curl -o /tmp/SAFE_TEMP_FILE ' cat << EOF | base64 -d > /tmp/SAFE_TEMP_FILE EOF # unknown element: mv /tmp/SAFE_TEMP_FILE chown : nobody su - ' '