Re: Making folders and files as non-admin user [WAS: Re: Privileged shutdown]
Re: Making folders and files as non-admin user [WAS: Re: Privileged shutdown]
- Subject: Re: Making folders and files as non-admin user [WAS: Re: Privileged shutdown]
- From: Axel Luttgens <email@hidden>
- Date: Sun, 25 Jul 2004 23:51:34 +0200
Paul Berkowitz wrote:
[...]
On 7/25/04 3:03 AM, "Axel Luttgens" <email@hidden> wrote:
Thanks, Axel, for all the attention to this. I'll reply inline.
Ahem. You're welcome.
I'll concentrate on one point of your post.
Not that I consider the other parts uninteresting. On the contrary.
And thanks too for having replied in a so complete way.
The authorizations of '/Library/Application Support':
drwxrwxr-x 19 root admin 646 24 Jun 13:48 Application Support
clearly indicate the intents: only administrators should be able to add
or remove items in that folder.
Yes, that's right.
[...]
[...]
[...]
a) I am running as a user belonging the group admin; given the enclosing
folder's auths, no problem:
mkdir testfolder
--> drwxr-xr-x 2 luttgens admin 68 25 Jul 09:25 testfolder
Note that this doesn't rely on the specifics of group admin at all; this
works just because the enclosing folder allows members of a given group
(here, admin) to create items.
If I wanted everybody to be able to write into testfolder, as I am the
owner of that folder, I may write:
chmod go+w testfolder
--> drwxrwxrwx 2 luttgens admin 68 25 Jul 09:25 testfolder
Something else would be to make testfolder owned by root (for whatever
reason)
Actually, this didn't work for me in AppleScript. Using 'sudo' with 'do
shell script' of course just gets you the silly dialog about being careful
as result, but 'with administrator privileges' does bring up a dialog
requesting an admin password. That would have been fine with me - let an
administrator install while logged in as a non-admin user. That would have
been adequate.
I suppose you are considering the case of a regular user (say, my 'test'
user) executing an applescript containing a line such as:
do shell script "chmod o+w /Library/Application\ Support/X"
with administrator privileges
aren't you?
The applescript (more exactly, the process executing it) is then running
as user 'test'.
And this has amusing consequences.
But it didn't work - I still got an error message about
insufficient permissions. That was with chmod. I didn't try chown.
When executing the "do shell script" part, after the requested password
has been entered by the user, AppleScript will launch following
sub-process, running as 'test' too: [1]
sh -c 'echo somepassword | sudo -S chmod o+w /Library/Application\
Support/X'
The sh part, with the echo command and the pipe, allows to communicate
the password to sudo through standard input (hence the -S option).
But the fact is that a process, running as regular user 'test', is
trying to preform a sudo.
So, which password should it be given?
Some administrator password?
No sense: sudo would just fail as it is awaiting test's password
(because of sudo's default configuration).
And anyway, how could sudo relate a password to some administrator in
particular?
Test's password then?
Yes, but... this results in a frightening error:
--> test in not in the sudoers file. This incident will be reported.
In fact, "with administrator privileges" is a misnomer.
The "with administrator privileges" just tells AppleScript to execute
the shell command through sudo.
But the script must already be running as an administrator user for this
to be effective...
As a summary:
executing an applescript as regular user 'test'
=> executing 'sudo chmod o+w /Library/Application\ Support/X' as
user 'test'
=> failure, because user 'test' is not allowed to do this
That is, we always were in case b), never in case a)!
[...]
[...]
b) I am running as a regular user (say user 'test' of group 'test'):
[...]
[...]
Axel
[1] Thanks Chris for having told us, some times ago, the whole truth
over AppleScript's current implementation of "do shell script ... with
administrator privileges".
_______________________________________________
applescript-users mailing list | email@hidden
Help/Unsubscribe/Archives:
http://www.lists.apple.com/mailman/listinfo/applescript-users
Do not post admin requests to the list. They will be ignored.