Jump to content

Workflows requiring privileges


Recommended Posts

Posted

Sorry this is long - but it is a bit complex.

 

I intermittently do web development work and prefer to develop it all on my local machine, but don't want Apache & MySQL running all the time. So I thought I'd make a quick workflow to allow me to start, stop and restart these services.

 

The normal procedure would be to open Terminal and type:

 

sudo apachectl stop

password

sudo mysql.server stop

no password 2nd time because it's good for 5 minutes.

 

Substitute start or restart as necessary.

 

* This assumes you have set up your paths correctly (use sudo vi /etc/paths), otherwise you will need to type:

 

sudo /usr/local/mysql/support-files/mysql.server stop

and the equivalent for apache

 

So, I made a quick keyword workflow with a required argument (your password) which is passed to a script like:

 

echo "{query}" | sudo -S apachectl stop

 

Unfortunately it doesn't work.  I double checked the sudo man pages, looked around the Internet and found others who said this was the way to script sudo commands requiring a password. Still no luck in Alfred.  

 

Probably for the best in the long term, I gave up on that and took the steps to set up my machine to do this properly. I was trying to do it this way so that the workflow could be portable to other machines without any other steps (and soothed my conscious about scripts with plain text passwords by telling myself that it wasn't stored anyplace).

 

So here's my question.  Would a workflow like this be desirable/of use to others if it requires a little work of a somewhat esoteric nature to set up your computer properly to work? Specifically it requires that you edit your sudoers file (sudo visudo) to allow you to run these specific commands without a password.  

 

Here's what my sudoers file looks like now:

 

 

# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
# Failure to use 'visudo' may result in syntax or file permission errors
# that prevent sudo from running.
#
# See the sudoers man page for the details on how to write a sudoers file.
#
 
# Host alias specification
 
# User alias specification
 
# Cmnd alias specification
Cmnd_Alias ASTART = /usr/sbin/apachectl start
Cmnd_Alias ASTOP  = /usr/sbin/apachectl stop
Cmnd_Alias ARESTART = /usr/sbin/apachectl restart
Cmnd_Alias MYSTART = /usr/local/mysql/support-files/mysql.server start
Cmnd_Alias MYSTOP = /usr/local/mysql/support-files/mysql.server stop
Cmnd_Alias MYRESTART = /usr/local/mysql/support-files/mysql.server restart
Cmnd_Alias WEBCTL = ASTART,ASTOP,ARESTART,MYSTART,MYSTOP,MYRESTART
 
# Defaults specification
Defaults        env_reset
Defaults        env_keep += "BLOCKSIZE"
Defaults        env_keep += "COLORFGBG COLORTERM"
Defaults        env_keep += "__CF_USER_TEXT_ENCODING"
Defaults        env_keep += "CHARSET LANG LANGUAGE LC_ALL LC_COLLATE LC_CTYPE"
Defaults        env_keep += "LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME"
Defaults        env_keep += "LINES COLUMNS"
Defaults        env_keep += "LSCOLORS"
Defaults        env_keep += "SSH_AUTH_SOCK"
Defaults        env_keep += "TZ"
Defaults        env_keep += "DISPLAY XAUTHORIZATION XAUTHORITY"
Defaults        env_keep += "EDITOR VISUAL"
Defaults        env_keep += "HOME MAIL"
 
# Runas alias specification
 
# User privilege specification
root    ALL=(ALL) ALL
%admin  ALL=(ALL) ALL
aviris mycomputername=(root)NOPASSWD:WEBCTL
 
# Uncomment to allow people in group wheel to run all commands
# %wheel        ALL=(ALL) ALL
 
# Same thing without a password
# %wheel        ALL=(ALL) NOPASSWD: ALL

 

Rather than doing the command aliases, you could just put multiple lines under the User privilege specification.

 

Once the sudoers file is setup properly the workflow is dead simple, just two lines issuing the start, stop, or restart commands (made simpler if you have set up the paths file).  I'm still thinking on the best way to query the two servers afterward to be able to provide some feedback.  Right now I just have it open a phpinfo page at localhost and if I see it, then it started/restarted. If it says it can't connect, it stopped.

 

I'm no programmer, so maybe there are ways to do this sort of thing using PHP (looks at David Ferguson), but as I'm writing this I'm thinking of several other things I could do with Alfred and the sudoers file. Looking through the forum I didn't see any workflows using sudo commands so maybe I'm missing something.  You'll notice I didn't use any *'s anyplace or do anything crazy like make an Alfred group and say members can do anything without a password, but the potential is there I suppose. So that brings me back to my question about making and sharing workflows that require mucking about with some potentially sensitive settings. Thoughts?

Posted

Why you looking at me? :) 

 

I made this EXACT extension for v1, editing the sudoers file. I never distributed it though. It was for personal use because of the potential issues with editing the sudoers file. I guess it could be assumed that most people that would be using this would be at least a LITTLE tech savvy because they are more than likely going to be developers. That being said.. I would think it MAY be ok, but you need to make sure that you provide clear direction on how to do it all. Document how to make backups of the sudoers file, what to change, how to change it, and make sure that you are EXTREMELY vocal on the fact that there is very much potential of messing stuff up if you start messing with the sudoers file. I'm not sure if doing a "Repair Permissions" from Disk Utility would fix something like that or not.

 

This is the type of workflow that could be handy to some but, at the same time, its kinda dangerous so be very careful with this.

Posted

Thanks for the confirmation of my own thoughts. I removed the link to the workflow for now. I never shared any of my extensions in v1 because they were always mostly unique to my computer because of reasons like this. More of a step in a workflow than an entire workflow. I thought this closed beta forums would be a good place to ask about the interest level. Perhaps a forum category that people could talk about this type of thing without actually sharing workflows out where they could do damage and let each person work his own. 

 

Any thoughts on why sudo -S won't work with your password as an argument? Then sudo is still being used interactively like it was meant to be and workflows could be distributed without modifications external to Alfred needed. If I could figure out passing passwords in Alfred I could also bind a query like  mysql -u root -p running -e "select * from running"

to a keyword to just check whether or not MySQL was up and running properly. Again - it takes some planning (in this case a table called running with a single record saying "Ready"). I actually checked out big PHP and Shell Scripting books from my library this morning. We'll see if I can find some time to learn more useful and shareable things to do with Alfred.  Thanks again for your comments and workflows.

Posted

Sorry this is long - but it is a bit complex.

 

I intermittently do web development work and prefer to develop it all on my local machine, but don't want Apache & MySQL running all the time. So I thought I'd make a quick workflow to allow me to start, stop and restart these services.

 

The normal procedure would be to open Terminal and type:

 

sudo apachectl stop

password

sudo mysql.server stop

no password 2nd time because it's good for 5 minutes.

 

Substitute start or restart as necessary.

 

* This assumes you have set up your paths correctly (use sudo vi /etc/paths), otherwise you will need to type:

 

sudo /usr/local/mysql/support-files/mysql.server stop

and the equivalent for apache

 

So, I made a quick keyword workflow with a required argument (your password) which is passed to a script like:

 

echo "{query}" | sudo -S apachectl stop

 

Unfortunately it doesn't work.  I double checked the sudo man pages, looked around the Internet and found others who said this was the way to script sudo commands requiring a password. Still no luck in Alfred.  

 

Probably for the best in the long term, I gave up on that and took the steps to set up my machine to do this properly. I was trying to do it this way so that the workflow could be portable to other machines without any other steps (and soothed my conscious about scripts with plain text passwords by telling myself that it wasn't stored anyplace).

 

So here's my question.  Would a workflow like this be desirable/of use to others if it requires a little work of a somewhat esoteric nature to set up your computer properly to work? Specifically it requires that you edit your sudoers file (sudo visudo) to allow you to run these specific commands without a password.  

 

Here's what my sudoers file looks like now:

 

 

# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
# Failure to use 'visudo' may result in syntax or file permission errors
# that prevent sudo from running.
#
# See the sudoers man page for the details on how to write a sudoers file.
#
 
# Host alias specification
 
# User alias specification
 
# Cmnd alias specification
Cmnd_Alias ASTART = /usr/sbin/apachectl start
Cmnd_Alias ASTOP  = /usr/sbin/apachectl stop
Cmnd_Alias ARESTART = /usr/sbin/apachectl restart
Cmnd_Alias MYSTART = /usr/local/mysql/support-files/mysql.server start
Cmnd_Alias MYSTOP = /usr/local/mysql/support-files/mysql.server stop
Cmnd_Alias MYRESTART = /usr/local/mysql/support-files/mysql.server restart
Cmnd_Alias WEBCTL = ASTART,ASTOP,ARESTART,MYSTART,MYSTOP,MYRESTART
 
# Defaults specification
Defaults        env_reset
Defaults        env_keep += "BLOCKSIZE"
Defaults        env_keep += "COLORFGBG COLORTERM"
Defaults        env_keep += "__CF_USER_TEXT_ENCODING"
Defaults        env_keep += "CHARSET LANG LANGUAGE LC_ALL LC_COLLATE LC_CTYPE"
Defaults        env_keep += "LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME"
Defaults        env_keep += "LINES COLUMNS"
Defaults        env_keep += "LSCOLORS"
Defaults        env_keep += "SSH_AUTH_SOCK"
Defaults        env_keep += "TZ"
Defaults        env_keep += "DISPLAY XAUTHORIZATION XAUTHORITY"
Defaults        env_keep += "EDITOR VISUAL"
Defaults        env_keep += "HOME MAIL"
 
# Runas alias specification
 
# User privilege specification
root    ALL=(ALL) ALL
%admin  ALL=(ALL) ALL
aviris mycomputername=(root)NOPASSWD:WEBCTL
 
# Uncomment to allow people in group wheel to run all commands
# %wheel        ALL=(ALL) ALL
 
# Same thing without a password
# %wheel        ALL=(ALL) NOPASSWD: ALL

 

Rather than doing the command aliases, you could just put multiple lines under the User privilege specification.

 

Once the sudoers file is setup properly the workflow is dead simple, just two lines issuing the start, stop, or restart commands (made simpler if you have set up the paths file).  I'm still thinking on the best way to query the two servers afterward to be able to provide some feedback.  Right now I just have it open a phpinfo page at localhost and if I see it, then it started/restarted. If it says it can't connect, it stopped.

 

I'm no programmer, so maybe there are ways to do this sort of thing using PHP (looks at David Ferguson), but as I'm writing this I'm thinking of several other things I could do with Alfred and the sudoers file. Looking through the forum I didn't see any workflows using sudo commands so maybe I'm missing something.  You'll notice I didn't use any *'s anyplace or do anything crazy like make an Alfred group and say members can do anything without a password, but the potential is there I suppose. So that brings me back to my question about making and sharing workflows that require mucking about with some potentially sensitive settings. Thoughts?

 

You can use applescript to run the shell script with administrator privileges:

 

 

osascript -e  "do shell script \"sudo apachect1 stop >/dev/null;\" with administrator privileges"

 

I know it sounds a bit silly running a shell script, in an applescrip,t in a shell script... but it works)

Posted

Please tell me you're playing? Does this method prompt for authentication?

 

I'm not joking, you get a popup window asking for a username and password, like any other app.

Posted

I'm not joking, you get a popup window asking for a username and password, like any other app.

Ok we'll that's not as bad and is actually a really good option. Thanks for sharing. I'll have to make note of that

Posted

I know nothing about AppleScript, but it may be time to get out of my shell a bit (pun intended). This is perfect for what I was trying to do at first - create a workflow that could be shared without requiring the editing of the sudoers file.  I'll still do it so that I don't have to provide authentication, but this allows modifying personal workflows for general consumption.

 

Off to do some reading

  • 3 years later...
Posted

I know this is now over 3 years old, but you could just use the -S switch which reads the password from STDIN:

 

Example: 

echo <password> | sudo -S apachect1 stop >/dev/null;

The only downside is that Terminal will display your password using this method, but if you're the only one using your machine that may not be an issue for you.

Posted

Terminal displaying your password isn't the only downside: it's also sitting around in plaintext. Not a good idea.

 

The AppleScript method is way better, imo. OS X pops up its standard "Enter your password" dialog, i.e. it uses a GUI, not a shell (that also displays your password).

 

If you don't want to be asked for your password, you should edit the sudoers file. It's not that complicated, and your password isn't sitting around in plaintext. You can also restrict it to specific commands/scripts/programs:

username ALL=(ALL:ALL) NOPASSWD: /path/to/command

(Obviously, replace username with your username and /path/to/command with, well, the path to the script/program)

Posted

It also bears mentioning that you only need root privileges (and therefore your password) to start servers like Apache and MySQL because they run on privileged ports (<1024) and/or under special, locked-down accounts.

 

If you're not using your computer as an actual "production" server, you don't need these features. For local development, it's much easier to run them from your normal user account (run Apache on port 8080, for example). That way, you also don't have to mess about with sudo and root permissions to edit configuration files.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...