Running an ASStudio app as root; shell script w/ admin priv

I think this is one problem that some others have struggled with as well.

I have an ASStudio application that basically needs to delete some files within the /System/Library/Caches/ folder (SYSTEM domain). The way I’ve been doing it up till now is to use a ‘do shell script with administrator privileges’ which uses the ‘rm -f’ shell command.

This method works fine for users who have administrator privileges, but will cause an AppleScript error “user is not in the sudoers file. This incident will be reported” for those who don’t have admin privileges. (Jon, I think you ran into this with your preferences checking app.)

Well, I was updating my Repair Disk Utility’s Permissions page when I had a brainstorm about potentially setting the Mach-O executable of the ASStudio application to SetUID root, so that it’d be running with root privileges immediately upon launch. Obviously, this could be potentially dangerous if the app contained faulty code, but since my app basically only does one single command, I figured it should be okay.

The plan then was that I’d distribute the application as normal, the non-admin user would install it, and then they’d have an IT person or whoever come over, login as an admin, authenticate once in order to change the permissions on my app, and then from then on, the normal user would be able to use it without the need to enter a password. Because the application’s executable would have root ownership and the SetUID bit, it’d launch with root privileges. I then had the idea that I could simply use a ‘do shell script’ (normally) to delete whichever files I needed too. I was thinking that the shell script would inherit the permissions of the process that launched it.

After doing a few experiments, it seems that all heck breaks loose after changing the permissions on the executable. I tried this with an ASStudio application (bundled format), as well as just a regular AppleScript saved as an Application in Script Editor. For example, a simple

set result_ to (do shell script "ls -l /Volumes/mdouma46/Desktop/")

results in the following error message:

“ls -l /Volumes/mdouma46/Desktop/” doesn’t understand the «event sysoexec» message. (-1708)

After looking around, I finally realized that «event sysoexec» is simply the ‘do shell script’. Even doing a simple display dialog doesn’t seem to work.

Any idea what might be going on, and if what I was hoping to do might be possible?

The following is a droplet that’ll allow you to change the permissions of any AppleScript you created in Script Editor (in 10.3.x that is) and saved as an “Application” (not an Application Bundle) to SetUID root:

Thanks in advance…

[This script was automatically tagged for color coded syntax by Convert Script to Markup Code]

Turns out I was a little too clever. :smiley:

In posting to the ASStudio mailing list, one of the Apple engineers said that they’ve purposely disabled SetUID root applications from loading any scripting additions, as a security measure.

So, I’m planning on just using a small shell script helper tool that’ll be SetUID root, and just launch that to do the processing.