Applescript: Using shell script to change permissions without admin password

[LingaringBell]

Hey guys, I wrote an Applescript that uses terminal to change the owner of volume. Everything works great, except, when I run the script as a nonadmin user it wants an admin password. I wrote the script in the first place so that nonadmin users could change the permissions on this one item. Here is my script:

Code:

do shell script ¬
	"sudo chown student /Volumes/Media\\ Drive" password "pass" with administrator privileges

Does anyone know of a different way to accomplish this without needing an admin password input by the user? Thanks as always.
-Bell

[Mikey-San]

1. If you want to do something that requires admin rights, you have to authenticate. (Whether you provide those credentials ahead of time or not.)

2. Using "with adminstrator privileges" without both a login and a password will prompt the user to authenticate if he or she is not an adminstrator.

3. Do not use sudo and "with administrator privileges" together.

http://developer.apple.com/technotes/tn2002/tn2065.html

The real question is: what higher-level goal are you trying to accomplish here?

[cwtnospam]

If you create an Applescript that calls a shell script, and you give the shell script admin rights, it should work.
Applescript:

Code:

tell application "Terminal"
	activate
	set x to POSIX path of "/path/to/file"
	do script "/path/to/shellscript.sh " & x
end tell

Shellscript:

Code:

#!/bin/bash
chmod -R 666 $1

There are obvious security concerns that I haven't addressed. Also, I haven't figured out how to get it to work if there is a space in the path to the file. Using the quoted form of the POSIX path doesn't help. The shell script sees $1 as ending with the first space.

[LingaringBell]

Mikey - If I try using just sudo with no "with administrator privileges" the script tells me that the shell needed a password. How do I add the login and password to my script so that a nonadmin will not be asked to authenticate.

cwt - I have never made a shellscript before, can i just make it in textedit?

[cwtnospam]

Yes. Save the file with a .sh extension (or rename it) and then in a Terminal window, make it executable:
chmod 711 /path/to/file

7 = read/write/executable by owner
1 = executable by group
1 = executable by others

You may also need to chown it to be owned by root. Be sure that you understand the script, because there is no safety net.

[hayne]

1) It is not possible to make a script run with admin privileges except by embedding the admin password - which is a very bad idea.

2) Please tell us what your higher-level goal is - as asked by Mikey-San in post #2.

[LingaringBell]

Higher-level goal? I'm guessing you mean my reason for needing this. I administer computers for a school. All of the machines have two drives, one for boot, one to read/write media on to. A piece of software that is used by the school has a bad habit of adjusting the permissions on this media drive and not changing them back, thus giving the students random permissions errors. As much fun as it is to constantly go around fixing permissions problems, i figured i would just make a script that the students could run that would fix the problem.

Also, i don't really see the problem in embedding the admin password into the script, since they are run only, and personally I've never been able to figure out a way to see the contents of a run only application made in applescript. Is there a way to do this?

[hayne]

Quote: Originally Posted by LingaringBell A piece of software that is used by the school has a bad habit of adjusting the permissions on this media drive and not changing them back, thus giving the students random permissions errors. As much fun as it is to constantly go around fixing permissions problems, i figured i would just make a script that the students could run that would fix the problem.

Does that software run with admin or root privileges? How does it change the permissions on the media drive?

Anyway, I think the way to go to fix this kind of problem would be to have a shell script that runs periodically (e.g. every 3 minutes) and checks the permissions and sets them back to what they should be. You could install this to run with 'root' privileges (e.g. as a system 'cron' job (use the GUI utility "Cronnix", or as a 'launchd' item (use the GUI utility "Lingon")).

Quote: Also, i don't really see the problem in embedding the admin password into the script, since they are run only, and personally I've never been able to figure out a way to see the contents of a run only application made in applescript. Is there a way to do this?

Yes - let's leave it at that - I don't want to explain since that would make it easier for people to be able to find the password when someone has misguidedly embedded it in an AppleScript.

[LingaringBell]

alright, that makes sense, I apologize, but I have to ask for help making the shell script since I am new to that idea. I used text edit to make a test file containing:

sudo chmod student /path/to/file

I save it and give it the extension .sh However, if I try to run it manually it still opens in text edit, if i run it in terminal i get this:

/path/to/shell: line 1: {rtf1macansicpg10000cocoartf824cocoasubrtf420: command not found
/path/to/shell: line 2: syntax error near unexpected token `}'
/path/to/shell: line 2: `{\fonttbl\f0\fswiss\fcharset77 Helvetica;}'

Help? Thanks again guys for the good explanations.

[hayne]

Quote: Originally Posted by LingaringBell I used text edit to make a test file containing: sudo chmod student /path/to/file I save it and give it the extension .sh However, if I try to run it manually it still opens in text edit, if i run it in terminal i get this: /path/to/shell: line 1: {rtf1macansicpg10000cocoartf824cocoasubrtf420: command not found /path/to/shell: line 2: syntax error near unexpected token `}' /path/to/shell: line 2: `{\fonttbl\f0\fswiss\fcharset77 Helvetica;}'

See the section on editing text files in this Unix FAQ
(The problem is that TextEdit defaults to saving as rich text documents, while shell scripts need to be plain, unformatted text. It is possible to use TextEdit to create plain text files but I'd recommend one of the special-purpose text editors - I mention some in that FAQ.)

[Mikey-San]

Quote: Originally Posted by LingaringBell Mikey - If I try using just sudo with no "with administrator privileges" the script tells me that the shell needed a password. How do I add the login and password to my script so that a nonadmin will not be asked to authenticate.

Go back and read the link I gave you; this is explained in that document, as well.

Quote: cwt - I have never made a shellscript before, can i just make it in textedit?

If you've never made a shell script before, you shouldn't write one that is going to run as root. That's not the answer you want to hear, but it's the right one.

Quote: All of the machines have two drives, one for boot, one to read/write media on to. A piece of software that is used by the school has a bad habit of adjusting the permissions on this media drive and not changing them back, thus giving the students random permissions errors.

Can you elaborate on this? What kinds of problems do the students encounter? How are the media drives used by the students? What piece of software is screwing with things?

[LingaringBell]

Thanks Hayne, very helpful

[LingaringBell]

The Software is called Pro Tools, it is an audio DAW. Commonly you run files in it off of a volume that is not the boot volume. Also, commonly, users set up this media drive to ignore all permissions, and the students are taught to do this for their home machines. Pro Tools randomly changes the owner of the media drive because of how some of it's basic processes run, the full explanation is rather long and probably wouldn't make sense if you don't use the software. I believe it gets access to change the owner because the students are setting the drives to ignore permissions, though I am not certain. I am not the only one with this problem, i see similar incidents on the Pro Tools forums. Thanks to Haynes tutorial I think I have written something that works pretty well, I'll test it for a while to make sure I don't destroy something :P Thanks everyone.
-Bell

[cwtnospam]

Quote: Originally Posted by hayne Anyway, I think the way to go to fix this kind of problem would be to have a shell script that runs periodically (e.g. every 3 minutes) and checks the permissions and sets them back to what they should be. You could install this to run with 'root' privileges (e.g. as a system 'cron' job (use the GUI utility "Cronnix", or as a 'launchd' item (use the GUI utility "Lingon")).

If he's going to create the shell script and give it root privileges, why not just call it from an Applescript? That way, it only runs when the user needs it. I know it wouldn't take up much resources, but when you add up all that disk access over time, and over many machines, it seems like it would cause a problem somewhere.

[tw]

Quote: Originally Posted by LingaringBell I administer computers for a school. All of the machines have two drives, one for boot, one to read/write media on to. A piece of software that is used by the school has a bad habit of adjusting the permissions on this media drive and not changing them back, thus giving the students random permissions errors. As much fun as it is to constantly go around fixing permissions problems, i figured i would just make a script that the students could run that would fix the problem.

actually, I think this would be much easier to do with a launchd plist. make a launchd watchpath item that watches that particular drive and resets the permissions whenever they change. since launchd runs as root, this should obviate your permissions problems. when I get to my office in a few minutes, I'll send you a prototype.

[Mikey-San]

Quote: Originally Posted by tw actually, I think this would be much easier to do with a launchd plist. make a launchd watchpath item that watches that particular drive and resets the permissions whenever they change. since launchd runs as root, this should obviate your permissions problems. when I get to my office in a few minutes, I'll send you a prototype.

This sounds like a pretty good solution. Mind posting the prototype here for people to find in future forum searches? That'd be neat.

[tw]

ok, the plist should be something like this (things in curly braces you need to add in yourself)

Code:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>Label</key>
	<string>my.daemon.resetPermissions</string>
	<key>ProgramArguments</key>
	<array>
		<string>chown</string>
		<string>{student}</string>
		<string>/Volumes/{disk name}</string>
	</array>
	<key>WatchPaths</key>
	<array>
		<string>/Volumes/{disk name}</string>
	</array>
</dict>
</plist>

after you've added the necessary information, save this as my.daemon.resetPermissions.plist in /Library/LaunchDaemons/ and either start the job using launchctl or restart the machine.

two things I'm not clear on:

1. are you trying to chown or chmod? I thought from the original script you were trying to change ownership of the disk, but later it seemed like you were trying to change permissions, and so I'm not sure which is correct.
2. if you're trying to chown, you'll need to recover the student's user name (since launchd runs as root, I think 'whoami' will return root, not the user's id) - but I'll leave it to hayne or one of the unix pros to tell you how to do that, because I have no idea

[MasterSwitch]

Quote: Originally Posted by hayne Yes - let's leave it at that - I don't want to explain since that would make it easier for people to be able to find the password when someone has misguidedly embedded it in an AppleScript.

Hayne, how dangerous, if only trusted users have access in a home, the only danger is from the net, how dangerous is it to embed the password if the script is only for home use ?

thx

[hayne]

The danger is that some malicious program (that you inadvertently downloaded) will search through all your scripts and find the password and thus have complete control over the system.

[MasterSwitch]

Quote: Originally Posted by hayne The danger is that some malicious program (that you inadvertently downloaded) will search through all your scripts and find the password and thus have complete control over the system.

thx, at least now i know the level of risk