sudo for non-admin users

schipmolder · September 28, 2006, 12:09pm

Hi all,

I know there have been many posts on the ‘with administrator privileges’ option to sudo specific shell comamnds, but I haven’t been able to find a way to require an admin password during installation of the pkg or first run of the app and using that so also non-admin users can run the application.

Does anyone know of a way of doing this?
I’m running 10.4.7.

Thanks
Arjen

Adam_Bell · September 28, 2006, 1:31pm

If you’re running 10.4.7, you shouldn’t be using sudo. ‘with administrative privileges’ is sufficient. I think what you want to do is a contradiction in terms. You’re essentially saying ‘I want a non-admin user to have admin privileges for this one operation.’ Without knowing more about why and some details, I don’t think the answer can get much richer than this.

schipmolder · September 28, 2006, 2:29pm

Thanks for replying Adam,

The actual command I’m running isn’t using sudo, but I use the ‘with administrative privileges’ option to run the command with the right privileges.

i.e.

do shell script "echo \"test\" >> /test.txt" with administrator privileges

(test.txt is owned by root)

I can get it all to work with admin users, but since a non-admin user won’t know the admin password there’s no way for them to run it.

I can imagine that it’ll prompt for an admin password during installation and that it saves that somehow, but what’s the best way to do this?

Thanks
Arjen

Adam_Bell · September 28, 2006, 3:39pm

I don’t know if this works for a non-admin user, but this is how to recover a password so you could include it in your do shell call:


-- Set sleep time for screens to "Never"
tell application "Keychain Scripting"
	launch
	tell current keychain
		tell (some generic key whose name is "ASPW")
			set myPW to password
		end tell
	end tell
end tell

delay 1
try
	do shell script  "pmset -a dim 0" password myPW with administrator privileges
	delay 1
	do shell script "sudo -k" -- timeout sudo ability
end try
delay 1
quit

Of course you have to create that password in the Keychain available to the user. I used ‘generic’ because it makes the sort much quicker - there are very few of that type.

schipmolder · September 28, 2006, 5:06pm

Thanks for the tip, I’ll definitely give it a go.

I’m just a bit worried it won’t work with our roaming and mobile users though
Also, wouldn’t this mean the admin password is freely available for all users?

Arjen

Adam_Bell · September 28, 2006, 6:57pm

You’d have to make that a run-only application, and even that is not a great way to go in my view. I’m not sure how to get around that (have never needed to). Could your script create a user for this task with admin privileges and then delete the user as its last act? (I’m groping). I assume you’re trying to install an app. that needs admin privileges to place some files where they belong. Could you install a script that would run the next time that user logged in or booted and then require that the user do that?

Another thought, however - can’t you set permissions on that file so the root has all and group & others have execute?