Sudo confusion

I’ve read Technical Note TN2065: do shell script in AppleScript, and for the context of my problem below, my understanding is:
¢ It’s redundant ” and asking for trouble ” to use sudo alongside with administrator privileges
¢ The 5 minutes timestamp grace period gets reset after the do shell script completes, so it’s unnecessary to follow-up with an explicit do shell script “sudo -k” for security.

So why doesn’t the second do shell script below put up the macOS password entry dialog?


do shell script "echo test" password "xxxxx" with administrator privileges
	--> "test"
do shell script "echo test" with administrator privileges
	--> "test"

Or, for that matter, even when I add the sudo -k (when it shouldn’t be necessary in the first place) below?


do shell script "echo test" password "xxxxx" with administrator privileges
	--> "test"
do shell script "sudo -k"
	--> ""
do shell script "echo test" with administrator privileges
	--> "test"

AppleScript: 2.1.2
Operating System: Mac OS X (10.6.8)

It’s rather ambiguous, isn’t it? My reading is that ‘with administrator privileges’ authenticates the AppleScript running the shell script(s) and that this authentication’s good for five minutes. The script can execute other shell scripts requiring adminstrator privileges in that time ” and even be run again ” without the user having to re-enter the password.

The fact that using ‘sudo’ and ‘with adminstrator privileges’ together is considered a security risk suggests that they’re not the same system, which may explain why ‘sudo -k’ doesn’t cancel the effect of ‘with administrator privileges’. But I’m just guessing here.

So how do I cancel the authentication? I’m depending on the error number -60007 to make my script prompt for re-entry of the user’s Mac admin password when it’s been typed-in wrongly.

Actually, I had it working via the sudo -k (which, incidentally, doesn’t require escalated privileges) when I was erroneously doing the sudo scho test alongside with administrator privileges before I searched Macscripter and found the Technical Note TN2065, because I was getting the occasional sudo hangs, and the test was flaky (once in a while my wrong-password check didn’t work, and to my great surprise successfully executed the system-level task despite a password typo).

On my machine, if you enter the password wrongly, authentication doesn’t occur! The password dialog simply shakes itself at you and waits for you either to get it right or cancel.

^ Yes, mine, too. But that’s not what I’m doing. What I’m doing is using an AppleScript default answer dialog to put the password into a string variable, so that, on the one hand, I can explain in the same, single dialog why the password is needed, and, on the other hand, so I can use it now to do one thing in a do shell script… password enteredPassword with administrator privileges (e.g., flush the DNS cache), then use use it later to do something else. In-between, I want the 5-minute authentication window closed. So I still need to know how to cancel the authentication grace period.

(originally posted: 07:27:25 am EDT, May 21, 2017)

Edit:

OK, if I can’t find an AppleScript way to cancel the with administrator privileges authentication grace period, then I guess I have to bypass with administrator privileges completely:

do shell script "echo " & enteredPassword & " | sudo -S echo test"

…then follow-up with a:

do shell script "sudo -k"

…or alternatively to the first one:

do shell script "sudo -S <<< " & enteredPassword & " echo test"

For some reason, I can’t get to work without error a combination of the first two:

do shell script "echo " & enteredPassword & " | sudo -kS echo test"

…but this works:

do shell script "echo " & enteredPassword & " | sudo -S echo test; sudo -k"

To be more precise it is not redundant but grants privileges on different level. An do shell script is an execv() C function that is executed. One way creates a spawned process with elevated privileges and other way creates a new subshell which will run as root. That is exactly why you shouldn’t use sudo in a do shell script.

^ Talk about, “grants privileges on different level,” what the heck is going on here?


do shell script "echo test" with administrator privileges

do shell script "sudo -k"

do shell script "echo test" with administrator privileges


Now, solely change the -k option to an upper-case character:


do shell script "echo test" with administrator privileges

do shell script "sudo -K"

do shell script "echo test" with administrator privileges


(Just change the character’s case in the first script; you don’t have to open the second script, too.)

Running either one demonstrates that its respective manipulation of the grace period timestamp doesn’t work on with administrator privileges, but immediately running the other”the first time”while still within the first’s grace period asks for the password. From my reading of the sudo man page, the only difference is that the -k sets the timestamp back to the epoch date, and the -K removes the timestamp entirely. Why would toggling the treatment of the timestamp make it cancel the with administrator privileges grace period?

(Or does this involve the same changing of level that DJ Bazzie Wazzie is talking about?)

do shell script with administrator privileges uses the authorization policy system and not the sudo table.

Yeah, I think I get from your posts #6 and #8 that sudo and with administrator privileges work on different levels, but why does what I stumbled-on work to cancel the grace period of with administrator privileges?

Wait a minute, now I think I see what was going on in my post #7: if you toggle the case of the command option character running within one script, it doesn’t cancel the grace period. It wasn’t toggling the case of the command option character that makes it ask for the password again; instead, it’s recompiling the script before running again that resets the “authorization policy system.”

So I guess there’s still no way to cancel the 5-minutes grace period of with administrator privileges?

That is, short of an awkward workaround, which isn’t really cancelling the grace period, but rather doing a separate instance of with administrator privileges (asks for password twice):


do shell script "echo test" with administrator privileges
run script separate_instance

script separate_instance
   do shell script "echo test" with administrator privileges
end script

It doesn’t use the sudo timeout table but has its own. It grants an process/brundle id elevated privileges but not the user running it. Using a sudo you grant an user elevated privileges throughout the entire system. Sudo -k has therefore no effect because the sudo table isn’t looked up.

But if you want to end the elevated privileges you should use the same authorization system as the do shell script itself. You can access the security framework using the security command line tool.

[format]security authorizationdb remove [/format]

OK, so if I for whatever reason wanted to cancel the grace period of a with administrator privileges, what is this that I actually want to use in the script?


do shell script "echo test" with administrator privileges
do shell script "security authorizationdb remove <name of privileges>"

What is the name of the privilege in particular that I need to use there?

Is that a permanent change? If so, how do I restore things back to normal? (You know, similar to, e.g., how best practices dictate that when you change AppleScript’s text item delimiters, you change them back to defaults as soon as you’re done.)

nvm…

you could use security also to execute each command with it’s own authorization which is a lot easier.

do shell script "security execute-with-privileges /bin/bash -c 'sleep 5'"

do shell script "security execute-with-privileges /bin/bash -c 'sleep 5'"

I tried “nvm” but it didn’t work:


tell current application
	do shell script "echo test" with administrator privileges
		--> "test"
	do shell script "security authorizationdb remove <nvm>"
		--> error "sh: -c: line 0: syntax error near unexpected token `newline'
sh: -c: line 0: `security authorizationdb remove <nvm>'" number 1
Result:
error "sh: -c: line 0: syntax error near unexpected token `newline'
sh: -c: line 0: `security authorizationdb remove <nvm>'" number 1

When I tried security execute-with-privileges the Mac OS password prompt didn’t come up with focus, so I had to click it with my mouse first before I could enter the password. If there’s no real AppleScript syntax to cancel the with administrator privileges grace period, then I guess I’m back to asking for the password in a display dialog”which does come up with focus”and piping the result into a sudo -S then doing the sudo -k.

I meant never mind, sorry

I thought instead of trying to find the elevated privileges and dump them, why not invoke each command with the security framework itself. Safer, easier and more reliable solution.