You spawn a tool to do the copying using AuthorizationExecuteWithPrivileges which will have time limited elevated privileges.
FILE *pipe = NULL;
#pragma clang diagnostic push
#pragma clang diagnostic ignored "-Wdeprecated-declarations"
status = AuthorizationExecuteWithPrivileges (m_auth, tool, kAuthorizationFlagDefaults, args, &pipe);
#pragma clang diagnostic pop
As long as the AuthorizationRef (m_auth) is valid within it’s time limit (around 15 minutes or so) you can call the tool as above in an ObjectiveC function.
I have a tool named accentutil which is a command line app with the usage:
run: accentutil -?
Usage: accentutil -S SourcePath -D DestPath [-R] [-V] [-X] [-?] [/HELP]
You can use either - or / for the parameters
[/R] Copy Recursively (Optional)
[/V] Enable verbose mode (Optional)
[/X] Delete the DestPath recursively if it exists (Optional)
[/HELP] Display this help info. (Optional)
Return values: 0: No Errors
-1: Error copying source to dest
-2: Source doesn't exist
-3: Either the source or dest path is empty
NOTE: Your tool and calling app must both be signed with the same cert.