sudo shell command?

Agreed. At the moment the way I’ve set it up means only through an authorised shell can the setuid helper be launched and work, but it’s true that it’s a security risk, one I’ve been trying to move away from (and one I hated having to implement, but the only way to be able to control root’s launchctl from a userspace Xojo app).

This is why I’ve been trying to find an alternative for a while now, without much luck. The “much harder” description falls short of how maddeningly complicated it’s proving to be.

I am writing a server which is installed in a user account that is in the sudoers file.
sudo in the terminal works and all the shell tricks I’ve tried failed.

If I run my application using sudo, then do the shell commands I issue also inherit the sudo rights?

On Mac maybe AppleScript does the job.

on run
do shell script “echo ‘abc’” with administrator privileges
return the result
end run

or:

on run
do shell script “echo ‘abc’” user name “me” password “MyPassword” with administrator privileges
return the result
end run

Hello guys ,

Any update on this ?

I`m trying as well to test a user password to see if he can run sudo or not and to get the feedback ,

the idea would be to have the pass temporary to be able to stop a mysql server service, or to query the status of it.

so far i have something like that :

[code] dim sh As New Shell

sh.Execute “osascript -e 'do shell script “” sudo /usr/local/mysql/support-files/mysql.server status”" with administrator privileges '"

MsgBox sh.Result
[/code]

but that ends on asking the password every time, so i need to temporary store that for the time the app is running and to use it something like :

[code] dim sh As New Shell

sh.Execute “osascript -e 'do shell script “” sudo /usr/local/mysql/support-files/mysql.server status”" user name “user " password “password” with administrator privileges '”

MsgBox sh.Result
[/code]

in this way it will not ask every time the password. so far i`m stuck and doing shell with mode 2 it seems that the response does not get fired until i press the second time on the button . weird .

thanks

The password is here to prevent the kind of manipulations that you DON’T want to be performed silently by, just as an example, some stupid malware caught on the web. It is here to protect you. It is supposed to be impossible to go around from inside a program.

Though, with the aforementioned AuthorizationShell code, you can make it so that the user is asked only once for their password as long as your app runs, which may help to annoy the user less.

But never with such a shell call

  sh.Execute "osascript -e 'do shell script "" sudo /usr/local/mysql/support-files/mysql.server status"" user name "user " password "password" with administrator privileges '"

because the clear text password would be visible via “ps” call.
See sudo shell command? for a solution.

Thanks guys, and as Thomas mentioned i do ave a request not to insert the password every time, one time on app start, the pass stays in a protected memory bloc and once app closes the data gets cleared.

the problem is that it will be used for multiple macs so that the username and pass must be as variables, i did something like the apple script example in the docs but unfortunately it is not working or most probably i`m doing something wrong.

the purpose would be to test if the pass is the right one or not and to have it there temporary, so far for password validity i wanted to have something like a apple script and to be called like :

dim response as string 
response = CheckPassValidity(username, password)

and the apple script should be like this :

on run {value1, value2}
	do shell script "sudo -s" user name value1 password value2 with administrator privileges
	set answer to text returned of result
	return answer
end run

so eventually if the pass and the user are ok then the response is “” otherwise the response will be “error “The administrator user name or password was incorrect.” number -60007”

and i could have either a boolean response or a string response , so far i wanted to be string but no luck .

Once that validated it will save the pass and go on with the rest of the procedures.

mostly will be for managing mysql server , uninstalling, installing , start , stop , status and so on.

so any other idea is more than welcomed , the username will be retrieved automatically as well from shell but the pass has to be inputed by user and validated.

[quote=34836:@Frederick Roller]If you know the root password for the machine your app is running on, you can try this:

Dim My_Shell As New Shell My_Shell.Execute "echo YourRootPassword | sudo -S /YourPath/YourExecutable" MsgBox My_Shell.Result [/quote]
That’s a really useful trick! Most of the time, using a shell with root authorisations normally requiers having an interactive shell (you have to use the DataAvailable to find out if the shell asks for the user’s password and issue it there; if the command actually didn’t needed a password and happens to reply something starting with “Password:”, you can’t tell the difference).
With this trick, one can pre-enter the password and keep a synchronous shell!

Not any longer. Apple no longer allows the -S option for sudo unless you are in a physical tty (terminal). You can override this in the sudo settings, but it’s a manual operation using a text editor as root.

Using an async (mode = 2) shell and parsing the shell’s result content for the “Password:” prompt really is the only way to achieve this on current macOS (and many Linux configs).

[code]
Dim theShell As New Shell

theShell.Mode = 2
theShell.Canonical = True
theShell.Execute “sudo /usr/bin/true”
Do
App.DoEvents(5)
theShell.Poll
If InStrB(theShell.Result, “Password:”) <> 0 _
Or InStrB(theShell.Result, “[sudo] password for”) <> 0 Then // Linux variant
theShell.WriteLine thePassword
End If
Loop Until Not theShell.IsRunning[/code]

What would happen then? In my test app, the code doesn’t return an error (and, apparently, works fine).

[quote=470629:@Tim Jones]Using an async (mode = 2) shell and parsing the shell’s result content for the “Password:” prompt really is the only way to achieve this on current macOS (and many Linux configs).
[/quote]
OK, I’ll keep that. Hoping no console app has the bad design to print “Password:” in its code.

I’m one of those guys that strongly believe command lines, albeit often offering more options, is less reliable and pleasant for the “average user”, thus for applications made for not-only-self (and even for myself only, I usually make a GUI to call shell commands because it’s way more practical to, e.g. put a file path in a TextField than to rewrite a command argument in a text-only window).
This includes the need to parse strings from commands results, which looks weaker than having integers or other data types to hold values in an “OOP way”. Merely my opinion.

Thank you for confirming there’s no other way.

Have you modified the sudoers configuration or added an entry into the /etc/sudoers.d/ folder? I just tested on 3 different macOS versions here and get the requiretty error on each:

theShell.EXecute "echo " + THEPASS + " | sudo -S /usr/bin/true"
The shell’s result always says:

sudo: no tty present and no askpass program specified

[quote=470667:@Tim Jones]Have you modified the sudoers configuration or added an entry into the /etc/sudoers.d/ folder? I just tested on 3 different macOS versions here and get the requiretty error on each:

theShell.EXecute "echo " + THEPASS + " | sudo -S /usr/bin/true"
The shell’s result always says:

sudo: no tty present and no askpass program specified [/quote]
I haven’t modified anything in this folder.
Your example above makes the shell having this result: “Password:”. Not an error, but the password isn’t sent either (don’t know the significant difference between this code and mine…).

as Thomas Templemann said before (somewhere in Sep.). Never ever use your root passwords in that way. Never pipe it! Every process can see this. It is logged in logfies when it is invoked with intentionally errors. In one sentence: it is a bad habit and security nightmare!

use root with care, esp as software developer!

Intentional from who?

As for avoiding this technique, it’s the only real solution I found for my problem: launching another app with sudo. Another way that doesn’t require making a helper app just to launch an app?

Thanks.

[quote=470677:@Arnaud Nicolet]Intentional from who?
[/quote]

any bad guy knocking at your server/software :wink:

if you need something to do in root context then try to solve this via an extra worker process, similiar with firefox updater background service for instance.

Mac OS has memory encryption; it’s made to avoid sharing information like this, correct?
I always wondered how an app performing shell commands transmits his commands to the shell… Is that all done in the caller’s memory?
At any rate, a user having a virus may expect to require changing his password.

I just need to launch an app as root, nothing more. It may be TextEdit so the user (mainly myself) can open mostly any file in some locations (editing launch agent files for instance) or any app.
It’s a convenience wrapper to launch an app with sudo without using the Terminal.
Thanks.

Arnaud you do not understand. Look at this example:

here you have one shell window with command & parameters (ping xojo.com)
This process with its parameters can be seen by everybody else with ps or top or htop.
And so any password can be seen, too.

Don’t do this, it’s a bad habit!

[quote=470687:@Tomas Jakobs]Arnaud you do not understand. Look at this example:

here you have one shell window with command & parameters (ping xojo.com)
This process with its parameters can be seen by everybody else with ps or top or htop.
And so any password can be seen, too.

Don’t do this, it’s a bad habit![/quote]
Ah, OK, I understand. Thank you.
This is typically something I think should be hidden by some mechanism in the OS.

As for a habit, I haven’t taken it; it’s just the only way I found for a given app of mine.
It remains to have a workaround, else I’m stick with this way (the app where I’m using it is not to be distributed in the wild)…

regarding workarounds…

Once upon a while a young talented software-developer, lets name him Tim created an operating system for his own DIY purposes. It was quite a quick and dirty operating system created as workaround just in order to run another software.

One day a stranger appeared and gave him 50.000 bucks for this. He couldn’t believe his fortune and said, yes of course take it. Maybe he thought by himself what a stupid, paying 50 grands for this piece of quick and dirty workaround…

The Stranger was Bill Gates and this quick and dirty operating system (QDOS) became Microsoft DOS…

:wink: