The macosxhints Forums

The macosxhints Forums (http://hintsforums.macworld.com/index.php)
-   UNIX - Newcomers (http://hintsforums.macworld.com/forumdisplay.php?f=15)
-   -   running apps as root w/out logging in as root (http://hintsforums.macworld.com/showthread.php?t=9872)

hamtoolie 03-02-2003 07:13 PM

running apps as root w/out logging in as root
 
I'm curious how to run applications that require you to log in as root without logging in as root. I have root access, but prefer to just have admin access most of the time. I can make terminal apps recognize me as root by using sudo, but what about other apps, like in this case EIMS.

bassi 03-02-2003 07:49 PM

Pseudo.

hamtoolie 03-03-2003 01:12 AM

I tried pseudo. I dragged EIMS onto it and it did nothing. I dragged other apps onto pseudo and it worked...

seb2 03-03-2003 02:11 AM

sudo
 
Use "sudo" in the Terminal.

To launch System Preferences as root, for example, type
Code:

sudo /Applications/System\ Preferences.app/Contents/MacOS/System\ Preferences &
As you notice, you have to specify the path to the executable which is ".../Contents/MacOS/<nameOfApplication>"

If you want to launch the Finder as root -- be careful! -- type the following:
Code:

osascript -e 'tell application "Finder" to quit'
sudo /System/Library/CoreServices/Finder.app/Contents/MacOS/Finder &

Hope that helps.

vonleigh 03-03-2003 04:05 AM

I did some tests because I thought this wasn't possible as I had the recollection that it was taken out with one of the early security updates (although that may have been while using open).

Now, using your command as is doesn't work for me. Reason is that the command with the ampersand gets interpreted before the sudo, so it asks for password too late and it doesn't do anything. Seems to be the same problem as when using sudo in conjunction with a redirect (>).

So I guess you could either first sudo something simple "sudo ls" and provide the password, then do the sudo with the command you really want; or use sudo -s.

Now, when I tried it I was pleasantly suprised to see that it did work. I opened my httpd.conf file and was able to edit it and save the changes.



v

Accura 03-03-2003 08:28 AM

vi
 
vonleigh, i recomment learning vi. No hints or tips just do a google search or read the man page. It will help if you ever need to edit files over shh and/or on a *nix box.

hamtoolie 03-03-2003 11:49 AM

Re: sudo
 
Quote:

Originally posted by seb2
Use "sudo" in the Terminal.

To launch System Preferences as root, for example, type
Code:

sudo /Applications/System\ Preferences.app/Contents/MacOS/System\ Preferences &
As you notice, you have to specify the path to the executable which is ".../Contents/MacOS/<nameOfApplication>"
I tried this method, but EIMS (Eudora Internet Mail Server) doesn't give me the option of digging into the package contents. Running sudo open on the app itself opens the app, but I still get a permissions error telling me I have to run the server as root.

vonleigh 03-03-2003 01:57 PM

Accura, yes I'm very aware of vi, vim, emacs, etc. I was just testing the hint on a root owned file.

Hamtoolie, check apple's site (or search through the forums) on how to make a startup item. Then the server will run at startup and have root privileges.



v

hamtoolie 03-03-2003 06:46 PM

So that's what the readme is for....
 
Quote:

From Terminal set EIMS Server X to run with root privilages with chmod 6550 "EIMS Server X" followed by sudo chown root "EIMS Server X"
That's what was in the readme that I had only skimmed over... I'll need to remember that for next time...

gatorparrots 03-13-2003 04:53 AM

Opening GUI applications as root
 
If you need to edit a root-owned system configuration file, it is possible to do so with a graphical text editor, if you so desire. In fact, any application can be opened as root [although why anyone would want to open Chess.app as root is beyond me...] (This functionality is essentially what Brian Hill's utility Pseudo allows you to do: http://personalpages.tds.net/~brian_hill/pseudo.html):

First, a little background about the open command:

The command is simply open (which can also be used for opening directories). The most basic example is launching an application:
open /path/to/some.app

More complex possibilities also exist:

open "/Volumes/Macintosh HD/somedoc.txt"
opens the document in the default application for its type (as determined by LaunchServices).

open /Applications/
opens that directory in the Finder.

open -a /Applications/TextEdit.app "/Volumes/Macintosh HD/somedoc.txt"
opens the document in the application specified (in this case, TextEdit).

open -e "/Volumes/Macintosh HD/somedoc.txt"
opens the document in TextEdit (the -e option specifies TextEdit).

open http://www.apple.com/
opens the URL in the default browser (lynx, naturally *wink*)

open "file://localhost/Volumes/Macintosh HD/somedoc.txt"
opens the document in the default application for its type (as determined by LaunchServices).

open "file://localhost/Volumes/Macintosh HD/Applications/"
opens that directory in the Finder.

As you can see, open is a very versatile command. However, in the following post I will point at least one glaring limitation. Let the fun begin...

mervTormel 03-13-2003 10:23 AM

open -a textedit

works. open -a will scan the local, user, and network /applications dirs for apps matching your arg.

even an alias to an offworld dir of apps gets dereferenced and scanned...

$ ll -d /Applications/1xapps
lrwxrwxr-x 1 root admin 22 Mar 10 15:04 /Applications/1xapps -> /Volumes/chunder/xapps/

$ ll -d /Applications/1xapps/FinkCommander/FinkCommander.app/
drwxrwxrwx 3 merv wheel 102 Feb 11 13:26 /Applications/1xapps/FinkCommander/FinkCommander.app/

$ open -a finkcommander

works.

gatorparrots 03-13-2003 11:51 AM

Launching Carbon applications with root privileges
Older Carbon applications have to be run via LaunchCFMApp because they are in the wrong binary format for Mac OS X, so LaunchCFMApp handles the necessary translation.

To launch a Carbon application directly (without using open), one has to actually run LaunchCFMApp, giving it the application as an argument:
/System/Library/Frameworks/Carbon.framework/Versions/Current/Support/LaunchCFMApp '/path/to/some/application'.

open can also be used to launch Carbon applications. open simulates a double click, hence the package name is given, rather than the full path to the executable. open's main advantage is in opening documents since it uses the Finder's 'open with' database of what applications open what documents, and in opening Carbon applications. Using open, most of the difficult work is done for you: open '/path/to/some/application'

To launch a Carbon application with root privileges, you have to prepend sudo -b to the first command above. Here is a specific example:
sudo -b /System/Library/Frameworks/Carbon.framework/Versions/Current/Support/LaunchCFMApp '/Applications/BBEdit Lite 6.1/BBEdit Lite 6.1 for OS X'

Launching Cocoa applications with root privileges
To run applications as root, we use sudo. However combining open and sudo in this form:
sudo open /path/to/some.app
results in sudo running open as root, but open still opens the application as the original user!!!

Therefore, the longer method of specifying the full path name for Cocoa applications (not just to the .app package, but to the actual executable):
sudo "/Applications/TextEdit.app/Contents/MacOS/TextEdit"

(The -b flag can be specified to run appropriate applications in the background. You can't use & and sudo when an authentication password is required, necessitating the need for the -b flag.)

elmimmo 04-02-2003 06:13 AM

My Mac OS X only has one user configured, mine, so I see little use to what I am going to say, but if it works someone might find some use to it.

Has anyone tried running, for instant:

user1% sudo -u user2 /Applications/Mail.app/Contents/MacOS/Mail &

and so having Mail launched using /Users/user2/Library tor ead settings, mailboxes, etc...

If that worked it should be sort of what I have heard that Windows XP can do without so much tinkering, that is, running apps as another user2 inside a user1 session.

mithras 04-02-2003 06:20 AM

Quote:

Has anyone tried running, for instant:

user1% sudo -u user2 /Applications/Mail.app/Contents/MacOS/Mail &
The problem is that 'user2' won't have privileges to access your WindowServer.

It works with apps run as root, since root has privileges to whatever it wants. But another normal user will not work.

Shame, huh?

elmimmo 04-02-2003 06:22 AM

BTW, this trick can be handy too to launch multiple instances of one app, when double clicking on it only lets one instance of it
Quote:

user1% /System/Library/Frameworks/Carbon.framework/Versions/Current/Support/LaunchCFMApp '/Applications/Hotline Client 1.8.5/Hotline Client 1.8.5' &

bluehz 04-02-2003 07:33 AM

Why is it that some things I open in BBEdit using the bbedit command line tool, as root, authenticated - I am never able to save.

For example. I want to edit /sw/etc/postfix/main.cf. I have tried AS ROOT:

% bbedit /sw/etc/postfix/main.cf

and also

% sudo bbedit /sw/etc/postfix/main.cf

Each time the file is opened in BBEdit, then you are asked to authenticate (even though you launched as root), then after you edit and try to save - BBEdit churns a bit then spits up a dialog
Code:

BBEdit timed out whil waiting for an authenticated save to complete (application error code 300008)
I notice the permissions on the bbedit binary are:
-rwsr-xr-x 1 root wheel 38104 Apr 2 00:09 /usr/bin/bbedit

if that makes any difference.

vonleigh 04-02-2003 07:57 AM

I don't use bbedit, but as I understand it there is no need to launch files as root, as bbedit uses it's own rutines to authenticate and edit system owned files. I could be wrong though.


v

bluehz 04-02-2003 08:14 AM

Normally the bbedit cli tool DOES authenticate via BBEdit - thats why I can't figure out what the problem is editing certain files.

gatorparrots 04-02-2003 11:10 AM

I use BBEdit Lite and have this alias in my ~/.cshrc file:
alias bbroot "sudo -b /System/Library/Frameworks/Carbon.framework/Versions/Current/Support/LaunchCFMApp '/Applications/BBEdit Lite 6.1/BBEdit Lite 6.1 for OS X'"
With it I can edit any root-owned file without incident (including items in the /sw tree). I don't have any experience with the full version of BBEdit or its included command line tool.

bluehz 04-02-2003 11:26 AM

great idea gatorparrots...

but not working for me.

I have the full version 7.0 of BBEdit (located in a subdir called "text" in my applications dir) and tried this:

alias bbroot "sudo -b /System/Library/Frameworks/Carbon.framework/Versions/Current/Support/LaunchCFMApp '/Applications/Text/BBEdit 7.0/BBEdit'"

and also

alias bbroot "sudo -b /System/Library/Frameworks/Carbon.framework/Versions/Current/Support/LaunchCFMApp '/Applications/Text/BBEdit 7.0/BBEdit.app'"

but either way I get invalid path error

root# cwd
/Applications/Text/BBEdit 7.0
root# ls
BBEdit Support BBEdit.app

gatorparrots 04-02-2003 01:02 PM

Is BBEdit 7 (full version) a Carbon or Cocoa application? If the .app extension is any indicator, you may have to try:
sudo "/Applications/Text/BBEdit 7.0/BBEdit.app/Contents/MacOS/BBEdit"
(alter as appropriate for your configuration)

bluehz 04-02-2003 05:26 PM

That was it - thx!

elmimmo 04-02-2003 05:54 PM

Quote:

Originally posted by mithras
The problem is that 'user2' won't have privileges to access your WindowServer.
I know little of Unix privileges, but the same that one can change a file owner, group and rest 's priviledges over one file, couldn't I set that WindowServer accessible to everybody?

gatorparrots 04-03-2003 06:15 AM

Quote:

Originally posted by elmimmo
I know little of Unix privileges, but the same that one can change a file owner, group and rest 's priviledges over one file, couldn't I set that WindowServer accessible to everybody?
You do not want to do that. Apple's system demarcation is in place for very specific reasons.

elmimmo 04-03-2003 08:38 AM

er... could you be more explicit as to what the undesired consequences could be? Saying just do not do this because it is bad is not very constructive...

discordantus 05-24-2003 02:38 PM

afaik, there is no way of changing the permissions for the windowserver. File permissions are handled by the operating system; basic process permissions are handled by the operating system too, but they are very basic. They ingore groups, and only the root user can affect another user's process (which is why you can launch an app as root under your windowserver). Anything more has to be built in by the programmer, and will vary depending on the program.

As for "bad things" that might happen if you changed the permissions, I can't really see any. Since a bad person? can't connect to the window server via the internet, there shouldn't be any problems. (for the average user, anyway)

If there IS a way of setting permissions for connections, I would sure like to know about it. :)

elmimmo 05-25-2003 05:33 AM

Thank you for the answer. That made a little more sense :) However, isn't the window server just an application the file of which can be traced and change its permissions?

discordantus 05-25-2003 06:05 AM

Quote:

Originally posted by elmimmo
Thank you for the answer. That made a little more sense :) However, isn't the window server just an application the file of which can be traced and change its permissions?
Well, yes or no, depending on what you want to do with the permissions.

The only permissions you can set on the executable file (the binary) control who can execute the file, and read and write to the actual file.

The permissions you want to be able to change are for being able to connect to the window server. The server is already executed and running, and at that point, the permissions on the binary executable don't apply. It handles it's own authorizations: any apps you launch ask the server for permission to connect, and if the server decides it doesn't like the username, it denys it.

It may help to remember that the window server is basically just like any server, such as an ssh or ftp server. Just in this case, the logon part is much simpler. :)


All times are GMT -5. The time now is 10:23 PM.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.
Site design © IDG Consumer & SMB; individuals retain copyright of their postings
but consent to the possible use of their material in other areas of IDG Consumer & SMB.