Interactive shell in sandbox?

Targets macOS
1

Has anyone managed to program a silent update of a sandboxed application (not on MAS)?

I have a sandboxed helper app in place which starts an interactive shell. Then I’m trying to start the installer from that shell and further on sending a password from keychain to it. The idea is to make the update process simpler (less clicking, typing or dragging)

So far, it fails.

I’m trying to use an interactive shell, like that:

  im.imInstallShell = New InstallShell  // Subclass of Shell
  im.imInstallShell.Mode = 2 // Interactive

  Dim cmd As String = "installer -pkg " + chr(34) + im.InstallerPath + chr(34) + " -target /"

  If Not im.imInstallShell.IsRunning Then
    im.imInstallShell.Execute "/bin/bash"   // alternative: "sh"
  End If
  System.Log(System.LogLevelNotice,CurrentMethodName + "2.TRY : im.imInstallShell.IsRunning =" + Str(im.imInstallShell.IsRunning))

I have a running shell after this. Now I try:

// Now start the installer im.imInstallShell.Write(cmd) im.imInstallShell.Write(Chr(13))

And here it fails and I find the following in the console log:

[quote]28.05.15 08:05:45.818 com.osswald.pro.seminar[5405]: forkpty: login_tty could’t make controlling tty
28.05.15 08:05:45.000 kernel[0]: Sandbox: bash(5405) deny file-ioctl /dev/ttys000
[/quote]

Full report:

[quote]seminar.pro.assi(5405) deny file-ioctl /dev/ttys000

Process: seminar.pro.assi [5405]
Path: /Applications/Seminar Pro.app/Contents/Library/LoginItems/seminar.pro.assist.app/Contents/MacOS/seminar.pro.assist
Load Address: 0x1000
Identifier: com.osswald.pro.seminar
Version: 1.0.0.0.0 ()
Code Type: i386 (Native)
Parent Process: seminar.pro.ass [5401]

Date/Time: 2015-05-28 08:05:45.819 +0200
OS Version: Mac OS X 10.10.3 (14D136)
Report Version: 8

Thread 0:
0 libsystem_kernel.dylib 0x951bbf26 __ioctl + 10
1 libsystem_c.dylib 0x97bf0298 forkpty + 110
2 RBShell.xojo_plugin_0.dylib 0x08b01bda
3 RBShell.xojo_plugin_0.dylib 0x08b01849
4 seminar.pro.assist 0x000cd87a Shell.Execute%%os + 72

Binary Images:
0x1000 - 0x133969 com.osswald.pro.seminar ( - 1.0.0.0.0) <2418079a-e3b5-3850-bd8b-8afb73df8b04> /Applications/Seminar Pro.app/Contents/Library/LoginItems/seminar.pro.assist.app/Contents/MacOS/seminar.pro.assist
0x8b00000 - 0x8b0cffb RBShell.xojo_plugin_0.dylib <9ff1a992-88f8-336c-bc73-43c1fc195971> /Applications/Seminar Pro.app/Contents/Library/LoginItems/seminar.pro.assist.app/Contents/Frameworks/RBShell.xojo_plugin_0.dylib
0x951a3000 - 0x951c2fff libsystem_kernel.dylib (2782.20.48) /usr/lib/system/libsystem_kernel.dylib
0x97be0000 - 0x97c75fff libsystem_c.dylib (1044.10.1) <9804163c-4dec-3b94-9854-00248e44554f> /usr/lib/system/libsystem_c.dylib
[/quote]

2

If NOT sandboxed, then this applescript is executing a silent install of a package on OSX:

[code]on run

set container to "/Users/user1/Library/Containers/com.osswald.pro.seminar/"
set appdata to "Data/Library/Application Support/SeminarProBeta.pkg"
set theInstaller to quoted form of (container & appdata)
do shell script "installer -pkg " & theInstaller & ¬
	" -target /" user name "user1" password "mypassword" with administrator privileges

end run[/code]

If I run the script from the sandboxed app (seminar.pro) then it fails:

[quote]29.05.15 20:42:59.531 authd[132]: Sandbox denied authorizing right ‘system.privilege.admin’ by client ‘/Applications/Seminar Pro.app’ [1651]
29.05.15 20:43:05.000 kernel[0]: Seminar Pro[1651] Unable to quarantine: 1[/quote]

I still wonder if there is a way to run a silent update of an application from a sandboxed app?

3

[quote=190655:@Oliver Osswald]If NOT sandboxed, then this applescript is executing a silent install of a package on OSX:

[code]on run

set container to "/Users/user1/Library/Containers/com.osswald.pro.seminar/"
set appdata to "Data/Library/Application Support/SeminarProBeta.pkg"
set theInstaller to quoted form of (container & appdata)
do shell script "installer -pkg " & theInstaller & ¬
	" -target /" user name "user1" password "mypassword" with administrator privileges

end run[/code]

If I run the script from the sandboxed app (seminar.pro) then it fails:

I still wonder if there is a way to run a silent update of an application from a sandboxed app?[/quote]

You got your answer right here : [quote]29.05.15 20:42:59.531 authd[132]: Sandbox denied authorizing right ‘system.privilege.admin’ by client ‘/Applications/Seminar Pro.app’ [1651][/quote]

AppleScript or not, I doubt extremely much a sandboxed application can have administrator privileges. You would not want that either : imagine what a malevolent worm or virus could do with that…

The best I have seen so far is what Sam Rowlands does for App Wrapper. It is not a silent install, but it is really smooth. I do not know about Kaju, but it is probably worth a try as well.