4

I'm wanting to make a simple program that runs each time on login behind the UI. In my applescript I'm running a sudo command that requires admin authentication. Is there a way to overwrite the need for authentication each time it runs? I don't want to have to type my username and password each time this script runs after login. any help? (and in very simple terms to as I'm a novice.) Much Thanks!

user2024356
  • 41
  • 1
  • 2

3 Answers3

6

You can put your username and password in the applescript command so that it doesn't ask for those credentials. However note that these items are stored as plain text inside the applescript and thus it's possible for others to see them. It's not really secure but it's up to you to decide if it's safe. NOTE: you don't need "sudo" in the command any longer.

do shell script "whatever" user name "username" password "password" with administrator privileges

There are methods where you can store your password in the Keychain and retrieve it from the applescript, thus making it secure. If you want to do that then you create the password item as follows.

Open Keychain Access application and select the keychain in the left column. Then click File>New Password Item..., give it a name, put your account shortname in account, and enter the password. Highlight it in the password list and get information on it. Under the Attributes button enter its kind as generic key. This is chosen because there aren't many of them and the search is much faster. Whatever name you give to it must be put in the code below in "Your Password Name".

Now from applescript you can use it like this...

set myPass to getPW()

do shell script "whatever" user name "username" password myPass with administrator privileges

on getPW()
    do shell script "security 2>&1 >/dev/null find-generic-password -gl \"Your Password Name\" | awk '{print $2}'"
    return (text 2 thru -2 of result)
end getPW

Good luck!

regulus6633
  • 18,848
  • 5
  • 41
  • 49
  • Wait a minute. So you are telling me that if someone views the AppleScript in an effort to get the user’s password, it will not be there. Great, but……what is stopping someone from just typing the security command at a Terminal window an reading it there? I mean, if I enter the command: security 2>&1 >/dev/null find-generic-password -gl “Your Password Name”, the response will be the user’s login password. – David Anderson Nov 20 '14 at 20:01
  • 2
    Your scenario assumes a person is already logged into the computer and to do that he must already have the password. – regulus6633 Nov 21 '14 at 05:58
  • 1
    It is possible to login to a person’s account without knowing the password. The command is: sudo login -f username. The prompt will ask for your password, not username’s password. But, when the security command is entered, the keychain login password is requested which is usually the same as username’s password. Therefore, you are correct. – David Anderson Nov 22 '14 at 10:55
  • I tried simplifing the content of the getPW handler to just one line: do shell script "security find-generic-password -wl \"Your Password Name\"". The result was the same. Is there a reason you did it your way? – David Anderson Nov 22 '14 at 11:37
  • The "-w" option looks good. I'll give that a try. I hadn't seen that before... maybe it wasn't available when I first looked into this but it looks useful. The "2>&1" stuff is about ignoring errors so that's there only in case of problems. – regulus6633 Nov 22 '14 at 16:20
1

Another solution is editing the

etc/sudoers

configuration file.

A setting on that file can allow a specific user to execute a specific commands (with... yes... specific parameters) as super user.

If the command itself is not the problem, but the problem is exposing the password in the code then this may be the solution.

The sudores file should be edited running the command visudo as super user.

Before you start tampering with sudoers I strongly suggest you to get a basic knowledge of visudo and the sudoers syntax, as messing that file may causes serius issues to the system.

As you know what you are doing is just a matter of adding a couple of lines.

For information you may Google or start here http://www.sudo.ws/sudoers.man.html

Paolo
  • 15,233
  • 27
  • 70
  • 91
0

If you want all Administrator accounts to be able to use the sudo command without entering a password, then do the following.

Change the line shown below in the /private/etc/sudoers file from

%admin  ALL=(ALL) ALL

to

%admin  ALL=(ALL) NOPASSWD: ALL

This edit can be accomplished, by using the Terminal and TextEdit applications. Open the Terminal application and type the following commands:

cd ~/desktop
sudo cp -n /etc/sudoers /etc/sudoers.orignal
sudo cp /etc/sudoers sudoers.txt
sudo chmod ug+w sudoers.txt
open sudoers.txt
visudo -c -f sudoers.txt
sudo cp -X sudoers.txt /etc/sudoers

When done, the sudoers.txt file on your desktop can be put in the trash.

To undo your changes, use the command:

sudo cp /etc/sudoers.original /etc/sudoers

This was tested using OS X 10.10.1

If you want to do the same for a single user then see: http://hints.macworld.com/article.php?story=20021202054815892

Below is a brief explanation of what each command does:

cd ~/desktop

This makes sure you are working from your desktop folder.

sudo cp -n /etc/sudoers /etc/sudoers.original

This backups your sudoers file. The backup can be used to undo your changes. The -n option insures that an existing sudoers.original file will not be overwritten.

sudo cp /etc/sudoers sudoers.txt

Copies the sudoers file to your desktop. The .txt extension is added so OS X will know this is a text file.

sudo chmod ug+w sudoers.txt

Changes the file’s permissions to allow write access. 

open sudoers.txt

Opens the file in the TextEdit application. You need to edit the file and save the changes.

visudo -c -f sudoers.txt

Checks the edited file for syntax errors. The output should be sudoers.txt: parsed OK.

sudo cp -X sudoers.txt /etc/sudoers

Copies the file back to the /etc directory.

David Anderson
  • 1,108
  • 9
  • 17