set-user-ID in Workflow Script Fails

[mikedvzo]

I am trying to get away from having my primary account as an Admin account but need to run a script regularly from Alfred that needs root/su access.  I used to do it with sudo and not require a password but decided to create the script with the set-user-ID bit instead.  The script runs fine from terminal when I execute it however, from Alfred it pops up with admin authentication box.  Is there a reason why this does not run in Alfred properly and is their a workaround.

 

The workflow simply calls the script:  /bin/bash cvo-enable.sh which contains the following system commands:

 

 

/usr/sbin/networksetup -setdnsservers Wi-Fi 10.0.0.1

/usr/sbin/networksetup -setsearchdomains Wi-Fi mydomain.com

 

 

-rwsr-xr-x@   1 root      wheel   736B Oct  1 14:03 cvo-enable.sh

Edited October 1, 2015 by mikedvzo

[deanishe]

I'm actually surprised that OS X will let you run a script with the SUID bit set. Linux won't. I usually work around this by writing and compiling a tiny C program that calls the script and setting the SUID bit on that compiled program instead.

 

I've not tried it with Alfred, but it works fine from other OS X apps, which probably use the same mechanism to run processes.

 

Your wrapper would look something like this:

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>

int main()
{
    setuid( 0 );
    system( "/your/script/command/goes.sh --here" );
    return 0;
}

Obviously, this represents a potentially large security hole if your script can be edited/replaced.

[mikedvzo]

It was a glitch in OS X I had changed my account to standard and rebooted and it worked fine but then I rebooted again an now it does not work in OS X.  Thanks for the code I wrote something like this a very long time ago in C for SGI but that was 1992 and I am by no means a programmer :-) 

[mikedvzo]

The other option is to have  program that will allow me to run the script as another user that has Admin and Sudo Privileges so I only have to type the admin credentials once and not 3 times for each entry in my script.  

[rice.shawn]

The other option is to have  program that will allow me to run the script as another user that has Admin and Sudo Privileges so I only have to type the admin credentials once and not 3 times for each entry in my script.  

 

You can give your regular account sudo access either with or without a password to specific commands. 

[mikedvzo]

Thx Shawn I am trying to be much stricter with security moving forward as I never run a virus program so trying to avoid sudo.  The issue is that if I add myself to the sudoers file with a password the script running in workflow will look for password input and there will be no prompt to enter the password since it is running in a unix shell.  If I add myself to sudoers without a password I am susceptible to a "Rootpipe flaw".  

 

What I winded up doing was changing the shell commands to not use sudo and placed all the commands in one bash script file and created an AppleSript and saved it as a application and called that from Alfred.  The alfred script does a "do shell script "~/bin/RUN-SCRIPT" with administrator privileges" which makes OS X prompt for an admin password only once even if there are multiple commands requiring admin privileges.  

 

Thx for your help!