running apps as root w/out logging in as root
 

I'm curious how to run applications that require you to log in as root without logging in as root. I have root access, but prefer to just have admin access most of the time. I can make terminal apps recognize me as root by using sudo, but what about other apps, like in this case EIMS.

Pseudo.

I tried pseudo. I dragged EIMS onto it and it did nothing. I dragged other apps onto pseudo and it worked...

sudo
 

Use "sudo" in the Terminal.

To launch System Preferences as root, for example, type
As you notice, you have to specify the path to the executable which is ".../Contents/MacOS/<nameOfApplication>"

If you want to launch the Finder as root -- be careful! -- type the following:
Hope that helps.

I did some tests because I thought this wasn't possible as I had the recollection that it was taken out with one of the early security updates (although that may have been while using open).

Now, using your command as is doesn't work for me. Reason is that the command with the ampersand gets interpreted before the sudo, so it asks for password too late and it doesn't do anything. Seems to be the same problem as when using sudo in conjunction with a redirect (>).

So I guess you could either first sudo something simple "sudo ls" and provide the password, then do the sudo with the command you really want; or use sudo -s.

Now, when I tried it I was pleasantly suprised to see that it did work. I opened my httpd.conf file and was able to edit it and save the changes.



v

vi
 

vonleigh, i recomment learning vi. No hints or tips just do a google search or read the man page. It will help if you ever need to edit files over shh and/or on a *nix box.

Re: sudo
 

I tried this method, but EIMS (Eudora Internet Mail Server) doesn't give me the option of digging into the package contents. Running sudo open on the app itself opens the app, but I still get a permissions error telling me I have to run the server as root.

Accura, yes I'm very aware of vi, vim, emacs, etc. I was just testing the hint on a root owned file.

Hamtoolie, check apple's site (or search through the forums) on how to make a startup item. Then the server will run at startup and have root privileges.



v

So that's what the readme is for....
 

That's what was in the readme that I had only skimmed over... I'll need to remember that for next time...

Opening GUI applications as root
 

If you need to edit a root-owned system configuration file, it is possible to do so with a graphical text editor, if you so desire. In fact, any application can be opened as root [although why anyone would want to open Chess.app as root is beyond me...] (This functionality is essentially what Brian Hill's utility Pseudo allows you to do: http://personalpages.tds.net/~brian_hill/pseudo.html):

First, a little background about the open command:

The command is simply open (which can also be used for opening directories). The most basic example is launching an application:
open /path/to/some.app

More complex possibilities also exist:

open "/Volumes/Macintosh HD/somedoc.txt"
opens the document in the default application for its type (as determined by LaunchServices).

open /Applications/
opens that directory in the Finder.

open -a /Applications/TextEdit.app "/Volumes/Macintosh HD/somedoc.txt"
opens the document in the application specified (in this case, TextEdit).

open -e "/Volumes/Macintosh HD/somedoc.txt"
opens the document in TextEdit (the -e option specifies TextEdit).

open http://www.apple.com/
opens the URL in the default browser (lynx, naturally *wink*)

open "file://localhost/Volumes/Macintosh HD/somedoc.txt"
opens the document in the default application for its type (as determined by LaunchServices).

open "file://localhost/Volumes/Macintosh HD/Applications/"
opens that directory in the Finder.

As you can see, open is a very versatile command. However, in the following post I will point at least one glaring limitation. Let the fun begin...

open -a textedit

works. open -a will scan the local, user, and network /applications dirs for apps matching your arg.

even an alias to an offworld dir of apps gets dereferenced and scanned...

$ ll -d /Applications/1xapps
lrwxrwxr-x 1 root admin 22 Mar 10 15:04 /Applications/1xapps -> /Volumes/chunder/xapps/

$ ll -d /Applications/1xapps/FinkCommander/FinkCommander.app/
drwxrwxrwx 3 merv wheel 102 Feb 11 13:26 /Applications/1xapps/FinkCommander/FinkCommander.app/

$ open -a finkcommander

works.

Launching Carbon applications with root privileges
Older Carbon applications have to be run via LaunchCFMApp because they are in the wrong binary format for Mac OS X, so LaunchCFMApp handles the necessary translation.

To launch a Carbon application directly (without using open), one has to actually run LaunchCFMApp, giving it the application as an argument:
/System/Library/Frameworks/Carbon.framework/Versions/Current/Support/LaunchCFMApp '/path/to/some/application'.

open can also be used to launch Carbon applications. open simulates a double click, hence the package name is given, rather than the full path to the executable. open's main advantage is in opening documents since it uses the Finder's 'open with' database of what applications open what documents, and in opening Carbon applications. Using open, most of the difficult work is done for you: open '/path/to/some/application'

To launch a Carbon application with root privileges, you have to prepend sudo -b to the first command above. Here is a specific example:
sudo -b /System/Library/Frameworks/Carbon.framework/Versions/Current/Support/LaunchCFMApp '/Applications/BBEdit Lite 6.1/BBEdit Lite 6.1 for OS X'

Launching Cocoa applications with root privileges
To run applications as root, we use sudo. However combining open and sudo in this form:
sudo open /path/to/some.app
results in sudo running open as root, but open still opens the application as the original user!!!

Therefore, the longer method of specifying the full path name for Cocoa applications (not just to the .app package, but to the actual executable):
sudo "/Applications/TextEdit.app/Contents/MacOS/TextEdit"

(The -b flag can be specified to run appropriate applications in the background. You can't use & and sudo when an authentication password is required, necessitating the need for the -b flag.)

My Mac OS X only has one user configured, mine, so I see little use to what I am going to say, but if it works someone might find some use to it.

Has anyone tried running, for instant:

user1% sudo -u user2 /Applications/Mail.app/Contents/MacOS/Mail &

and so having Mail launched using /Users/user2/Library tor ead settings, mailboxes, etc...

If that worked it should be sort of what I have heard that Windows XP can do without so much tinkering, that is, running apps as another user2 inside a user1 session.

The problem is that 'user2' won't have privileges to access your WindowServer.

It works with apps run as root, since root has privileges to whatever it wants. But another normal user will not work.

Shame, huh?

BTW, this trick can be handy too to launch multiple instances of one app, when double clicking on it only lets one instance of it

Why is it that some things I open in BBEdit using the bbedit command line tool, as root, authenticated - I am never able to save.

For example. I want to edit /sw/etc/postfix/main.cf. I have tried AS ROOT:

% bbedit /sw/etc/postfix/main.cf

and also

% sudo bbedit /sw/etc/postfix/main.cf

Each time the file is opened in BBEdit, then you are asked to authenticate (even though you launched as root), then after you edit and try to save - BBEdit churns a bit then spits up a dialogI notice the permissions on the bbedit binary are:
-rwsr-xr-x 1 root wheel 38104 Apr 2 00:09 /usr/bin/bbedit

if that makes any difference.

I don't use bbedit, but as I understand it there is no need to launch files as root, as bbedit uses it's own rutines to authenticate and edit system owned files. I could be wrong though.


v

Normally the bbedit cli tool DOES authenticate via BBEdit - thats why I can't figure out what the problem is editing certain files.

I use BBEdit Lite and have this alias in my ~/.cshrc file:
alias bbroot "sudo -b /System/Library/Frameworks/Carbon.framework/Versions/Current/Support/LaunchCFMApp '/Applications/BBEdit Lite 6.1/BBEdit Lite 6.1 for OS X'"
With it I can edit any root-owned file without incident (including items in the /sw tree). I don't have any experience with the full version of BBEdit or its included command line tool.

great idea gatorparrots...

but not working for me.

I have the full version 7.0 of BBEdit (located in a subdir called "text" in my applications dir) and tried this:

alias bbroot "sudo -b /System/Library/Frameworks/Carbon.framework/Versions/Current/Support/LaunchCFMApp '/Applications/Text/BBEdit 7.0/BBEdit'"

and also

alias bbroot "sudo -b /System/Library/Frameworks/Carbon.framework/Versions/Current/Support/LaunchCFMApp '/Applications/Text/BBEdit 7.0/BBEdit.app'"

but either way I get invalid path error

root# cwd
/Applications/Text/BBEdit 7.0
root# ls
BBEdit Support BBEdit.app

Is BBEdit 7 (full version) a Carbon or Cocoa application? If the .app extension is any indicator, you may have to try:
sudo "/Applications/Text/BBEdit 7.0/BBEdit.app/Contents/MacOS/BBEdit"
(alter as appropriate for your configuration)

That was it - thx!

I know little of Unix privileges, but the same that one can change a file owner, group and rest 's priviledges over one file, couldn't I set that WindowServer accessible to everybody?

You do not want to do that. Apple's system demarcation is in place for very specific reasons.

er... could you be more explicit as to what the undesired consequences could be? Saying just do not do this because it is bad is not very constructive...

afaik, there is no way of changing the permissions for the windowserver. File permissions are handled by the operating system; basic process permissions are handled by the operating system too, but they are very basic. They ingore groups, and only the root user can affect another user's process (which is why you can launch an app as root under your windowserver). Anything more has to be built in by the programmer, and will vary depending on the program.

As for "bad things" that might happen if you changed the permissions, I can't really see any. Since a bad person? can't connect to the window server via the internet, there shouldn't be any problems. (for the average user, anyway)

If there IS a way of setting permissions for connections, I would sure like to know about it. :)

Thank you for the answer. That made a little more sense :) However, isn't the window server just an application the file of which can be traced and change its permissions?

Well, yes or no, depending on what you want to do with the permissions.

The only permissions you can set on the executable file (the binary) control who can execute the file, and read and write to the actual file.

The permissions you want to be able to change are for being able to connect to the window server. The server is already executed and running, and at that point, the permissions on the binary executable don't apply. It handles it's own authorizations: any apps you launch ask the server for permission to connect, and if the server decides it doesn't like the username, it denys it.

It may help to remember that the window server is basically just like any server, such as an ssh or ftp server. Just in this case, the logon part is much simpler. :)