Re: Q: 10.4.2 "Do Shell Script" revision & passwords
Re: Q: 10.4.2 "Do Shell Script" revision & passwords
- Subject: Re: Q: 10.4.2 "Do Shell Script" revision & passwords
- From: Christopher Nebel <email@hidden>
- Date: Wed, 13 Jul 2005 11:55:02 -0700
On Jul 13, 2005, at 10:49 AM, Eric Geoffroy wrote:
On Jul 13, 2005, at 10:32 AM, Laine Lee wrote:
On 7/13/05 12:11 PM, "Gary (Lists)" <email@hidden>
wrote:
The Tech Note for 'do shell' specifically states that you should
not use
'sudo' _and_ 'with administrator privileges'.
You shouldn't, but sometimes you have to. There are cases for
which there is
no alternative.
In Tiger it is okay to use sudo with admin privileges.
If I'm wrong I'll eat me shorts.
How would you like those shorts? In 10.4.0 and 10.4.1, you'll hang
if you try. This is fixed in 10.4.2, and it's fixed by setting both
the real and effective user ids for the command, which cures the
other problems people have been having. There should be even less
need to call "sudo" explicitly now. (There is still a problem with
calling d.s.s.w.a.p. repeatedly slowing down; we have a fix, but
didn't figure it out in time for 10.4.2.) Quoting from the *revised*
TN2065, which should go live Real Soon Now:
Q: How do I get administrator privileges for a command?
A: Use the administrator privileges, user name and password
parameters like this:
do shell script "command" user name "me" password "mypassword" with
administrator privileges
user name and password are optional; if you omit the user name, do
shell script assumes it to be the current user; if you omit the
password, it will ask for a password when it runs. Once a script is
correctly authenticated, it will not ask for authentication again for
five minutes. As of Mac OS X 10.4, this grace period does not extend
to any other scripts or to the rest of the system; manually calling
sudo -k is unnecessary.
Bear in mind that administrator privileges allow you to change any
file anywhere in the system. You can render your system unbootable or
even erase the entire disk with a few well-placed commands, so
exercise caution. Better yet, don’t use administrator privileges
unless you absolutely have to. Unless you are doing system-level
development, you should never need to change anything in /System —
changing /Library should suffice.
Note: Using sudo(8) with with administrator privileges is generally
unnecessary and creates security holes; simply remove the "sudo".
WARNING: In Mac OS X 10.4.0 and 10.4.1, with administrator privileges
executes the command with only the effective user id set to root.
This causes trouble for some commands that rely on the real user id —
for example, Perl will turn on its "taint mode" security checks, and
sudo(8) will hang. To work around the problem (assuming you cannot
simply remove a use of sudo; see above), preface your command with a
small Perl script to set the real user id, like this:
do shell script "/usr/bin/perl -Ue '$< = $>; system(@ARGV)'
my_command" with administrator privileges
Mac OS X 10.4.2 sets both the real and effective user ids; the
workaround described here will be unnecessary, but harmless.
WARNING: Prior to Mac OS X 10.4, with administrator privileges did
not work correctly with multiple commands. You had to turn your
multiple commands into a single invocation of sh, like this:
set normal_command to "command1; command2"
do shell script "sh -c " & quoted form of normal_command with
administrator privileges
As of Mac OS X 10.4, you can use with administrator privileges with
multiple commands as described in "how can I use more than one
command" above; no workaround is necessary.
--Chris Nebel
AppleScript and Automator Engineering
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Applescript-users mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden