I know AuthorizationExecuteWithPrivileges is deprecated, but does it still work on 10.9 with do shell script commands? & if so, are there any examples of how to add it to an Applescript Objective C app?
The reason i’m requesting this is for a project i’m doing, which can be found at the below:
It an app to automate making a NetBoot Image from an OS.dmg. The app works well… but the multiple authentication prompts is an issue.
The prompts come about due to there being multiple shell commands that can take longer than the 5 minute timeout. (like creating the NetBoot image).
The app is to be used by fellow Mac Admins, & not the wider public, & so I am happy to use AuthorizationExecuteWithPrivileges with it’s security risks. Other tools used to do similar actually use the same method.
If you’re using do shell script, you don’t need AuthorizationExecuteWithPrivileges – just use the administrator privileges parameter (which possibly uses AuthorizationExecuteWithPrivileges anyweay).
As far as I’m aware, AuthorizationExecuteWithPrivileges works to the same timeout rules. Or put another way, do shell script works to AuthorizationExecuteWithPrivileges’ rules.
set aPassword to text returned of (display dialog "Enter admin password:" default answer "" with hidden answer)
do shell script "do something that takes a long time" password aPassword with administrator privileges
do shell script "do something else that takes a long time" password aPassword with administrator privileges
I tried that, with a prompt asking the users for their username & password… but it didn’t seem to like it in AppleScript in Xcode… i’d love some verification that that works… cause i’d be more than happy with that workaround.
The above code definitely works for me. I don’t think you need to ask for the username. Just ask for the current user’s password. You could test the password entered is correct with something simple like this:
property aPassword : missing value
on getPassword_(sender)
set aPassword to text returned of (display dialog "Enter admin password:" default answer "" with hidden answer)
my testPassword_(me)
end getPassword_
on testPassword_(sender)
try
do shell script "ls ~/" password aPassword with administrator privileges
my runTasks_(me)
on error
my getPassword_(me)
end try
end testPassword_
on runTasks_(sender)
do shell script "do something that takes a long time" password aPassword with administrator privileges
do shell script "do something else that takes a long time" password aPassword with administrator privileges
end runTasks_
the word “password” is a reserved word. I think you need to change your password variable name from “passWord” to something like “aPassword” or “thePassword” and I don’t believe there is a need for the " " space character at the end of your shell script
Could it be you are entering the admin full user name instead of the shortname (which are not always the same)? Example: My full user name: “FirstName LastName” my shortname: “firstnamelastname”
This works as expected for me:
do shell script "mkdir ~/Desktop/testFolder"
set adminName to text returned of (display dialog "Enter admin shortname:" default answer "")
set adminPassword to text returned of (display dialog "Enter admin password:" default answer "" with hidden answer)
do shell script "rm -rf ~/Desktop/testFolder" user name adminName password adminPassword with administrator privileges
I am still not sure why you are trying to collect the username in the first place… are you expecting your script to be run under a non-admin account where the (non-admin) current user would be unable to authenticate/authorize the running of the script?
Do you have the do shell script inside a tell block? The shell script should ‘terminate’ itself when it completes its task.
You could try:
do shell script "rm -rf " & ((quoted form of variableVariable) as Unicode text) user name adminUsername password adminPassword with administrator privileges
Thanks again… it does seem to work when asking for the password via a display dialog… But when trying to grab via a XIB it still prompts for admin credentials via the standard OSX prompt.
Function below, not sure what I’ve missed this time or if it’s an issue:
-- On launch as for administrative credentials & validate
on adminCheck_(sender)
-- Checking variable
set isAdminUser to false
-- Check to see if supplied User is a member of the Administrator group
if ("80" is not in (do shell script "id " & adminUserName & " -G")) then
--Log Action
set logMe to "User " & adminUserName & " is not a part of the Administrators group"
-- Log To file
logToFile_(me)
else
--Log Action
set logMe to "User " & adminUserName & " is part of the Administrators group"
-- Log To file
logToFile_(me)
-- Checking variable
set isAdminUser to true
end if
-- If the User is an Administrator
if isAdminUser is true then
try
-- Perform a check of privileges
do shell script "ls " user name adminUserName password adminUsersPassword with administrator privileges
log "we passed"
on error
-- Display error to user
display dialog "Authentication failed. Please renter the Administrator credentials."with icon 2 buttons {"OK"}
end try
end if
end adminCheck_
So, for example… if we do the below then we can pass the password correctly
-- If the User is an Administrator
if isAdminUser is true then
display dialog "Enter Password: " default answer "" with hidden answer
set adminUsersPassword to text returned of the result
try
-- Perform a check of privileges
do shell script "ls " user name adminUserName password adminUsersPassword with administrator privileges
log "we passed"
on error
-- Display error to user
display dialog "Authentication failed. Please renter the Administrator credentials."with icon 2 buttons {"OK"}
end try
end if
I can’t test this right now, but if you are showing a NSWindow with NSTextField(s) to retrieve the password and/or username, I would imagine you would need to do something like this:
property adminPasswordField : missing value -- connected to NSTextField in IB
property adminUserNameField : missing value -- connected to NSTextField in IB
property adminPassword : missing value
property adminUserName : missing value
on collectCredentials_(sender)
set adminPassword to (adminPasswordField's stringValue()) as text
set adminUserName to (adminUserNameField's stringValue()) as text
-- dismiss NSWindow & call handler to run shell script here
end collectCredentials_
Not sure if this is your issue, but I don’t know if you can pass a NSString to do shell script’s user name/password arguments without ‘converting’ it to text first. Never tried such a thing.
Apple includes some handy shell tools for testing group membership and passwords that would likely be better than trying to run random shell commands with elevated privileges.
Check for admin rights:
try
do shell script "dseditgroup -o checkmember -m " & adminUserNameFieldTxt & " admin"
set adminShortName to adminUserNameFieldTxt
on error errMsg number errNum
if errNum is 67 then
display dialog adminUserNameFieldTxt & " is not a computer administrator." buttons {"OK"}
else if errNum is 64 then
display dialog adminUserNameFieldTxt & " does not have an account on this computer." buttons {"OK"}
else
error errorMsg number errNum
end if
end try
Test the password:
try
do shell script "dscl . authonly " adminShortName & " " & quoted form of adminPasswordFieldTxt
set adminPassword to adminPasswordFieldTxt
on error number 10
display dialog "Password authentication for " & adminShortName & " failed." buttons {"OK"}
end try