run script as root

do shell script provides with administrator privileges.

Is there any way to temporarily elevate a user to root to run an AppleScript-only script?

use a do shell script ‘with administrator privileges’ and osascript command line to launch the script. You will be prompted for user name and password and will run the script as root.

That’s an ugly workaround. I’m rather looking for a direct way to elevate rights that I’m not aware of.

No, thankfully that is not possible (or at least should be). It sounds like the biggest exploit in the world :wink:

If there was such an statement possible it would only be limited to the current application context. AppleEvents (read: AppleScript commands) doesn’t carry out the privileges to remote applications or machines.

Hmm.but there is admin privileges to run a shell script from an applescript.

Anyway, I don’t see why run script with administrator privileges couldn’t be feasible :rolleyes:

I just want to duplicate files in Finder preserving ownership along other attributes but with exact copy doesn’t work as expected, i.e., asking for your admin password when the file’s owner is root.

Here you are speaking to users like you.
If you want an enhancement you must ask it to Apple, not to us.

Yvan KOENIG running El Capitan 10.11.1 in French (VALLAURIS, France) mercredi 25 novembre 2015 09:02:06

Yvan, I know and didn’t ask here for an enhancement.

So I’ve been searching a bit and DJ Bazzie Wazzie’s seems the only workaround.

But it doesn’t work. Neither

-- save as test.scpt
tell application "Finder" to duplicate selection with exact copy
-- then
do shell script "osascript ~/Desktop/test.scpt" with administrator privileges

nor

preserve ownership, and

do shell script "osascript -e \"tell application \"Finder\" to duplicate selection with exact copy\"" with administrator privileges

compiles, but doesn’t work because of the syntax, although I think I escaped it correctly get this error message

Result:
error "58:62: syntax error: Expected "given", "with", "without", other parameter name, etc. but found "copy". (-2741)" number 1

I had a similar problem some time ago: http://macscripter.net/viewtopic.php?id=41345
The Finder’s ‘duplicate with exact copy’ will not preserve the source ownership.
This is what does the job for me since (based on Yvan’s help in that post):

do shell script "cp -pR " & sourceItemPOSIX & " " & targetFolderPOSIX with administrator privileges

"cp -p " will copy files preserving their ownership, while "cp -pR " with copy directories as well preserving their structure. Refer to “man cp(1)” for more details. Note that in folders/directories case you’ll have to remove the trailing “/” of the source to copy the folder structure instead of their contents.

It’s technically not possible. What you’re doing is sending an AppleEvents (command) to the Finder describing that you want to duplicate a file. From there the script itself is just waiting for an reply from the Finder until the command is finished (read more about sending and receiving AppleEvents). No matter what the event describes, the Finder isn’t going to run as another user. It would violate too many security policies. At the end the Finder is responding the same way as if an user copied the file in your desktop, only through a different interface.

So the question is then how to solve this. do shell script can execute a shell with elevated privileges, you can use the cp or ditto command in a ‘do shell script with administrator privileges’ to run those commands as root.

I read that topic before posting mine. Eventually I opened a new one to discuss a more general inquiry.

For duplicating files I’d like to use the Finder so it deals with existing name sequences, e.g. foobar copy, foobar copy 3, etc ” which with a shell script would require more elbow grease.

Thanks for the reference. I ran the Finder as root and AppleScript Editor as me to see what you mean. In this case exact copy only preserves the owner but not the group.

Not quite, Finder → Edit → Paste Exactly does require you to authenticate to perform an operation via GUI that should be possible in the same manner as when you run a shell script and specify with administrator privileges. Both invoke the Security Agent (I link a document that I just found but haven’t read yet).

You may prefer using the Finder but, since you say you need to preserve the ownership correctly, the only option seems to be the shell script. You could take the list of the files to be copied and using a repeat loop, convert each item to posix and pass it to the shell script cp command.

I’ve checked logs, commands and documentation and although I still haven’t figured out how to do this, I think it’s worth sharing.

Finder → Duplicate Exactly (adds ‘copy’ suffix)

Finder → Paste Exactly (adds number suffix if copying and pasting in the same dir)

You can address the Security framework using the security command ” check in particular

authorize
authorizationdb
execute-with-privileges

and the authorization rights

com.apple.desktopservices
com.apple.desktopservices.scripted

Unfortunately I couldn’t find concrete examples to use with the Finder or any other GUI application, but the framework is there, I suppose.

Also, I checked Authorization Services Programming Guide but couldn’t glean the necessary information.

So tell us again how using a shell script would require more elbow grease… :slight_smile:

:smiley: well.

.or something along these lines should do, I’d have expected, then run duplicate with exact copy.

And regardless, I’m just curious, that’s why I posted a different question from flex20’s.
security does, for example, allow me to retrieve my password in an applescript and login or authorize processes with a key combo ” that’s 2 ^ n keys, I suppose.

Problem remains the same, the security command will not grant you elevated privileges for a remote application.

The security command line will give you higher privileges for a command to execute.


set s to "/Users/xxx/testfile.pdf"
set t to "/Library"

-- Execute cp by security to gain elevated privileges 
do shell script "security execute-with-privileges /bin/cp " & quoted form of s & space & quoted form of t

-- Recommended by Apple:
do shell script "/bin/cp " & quoted form of s & space & quoted form of t with administrator privileges

You can “externalize authref to stdout”, as per the man page.

I’m a little time-constrained now, but I think it’s worth trying to understand if it works and why com.apple.desktopservices.scripted is there in the first place.

I know this thread is old but I’ve been using this for many many years:

try

do shell script "echo rootpasshere | sudo -S -u root -p rootpasshere " script-here

end try

You’re putting your root password as cleartext in a script, twice? This is a very bad idea. Why not attach it on a post-it to your monitor?