Jump to content

set-user-ID in Workflow Script Fails


Recommended Posts

Posted (edited)

I am trying to get away from having my primary account as an Admin account but need to run a script regularly from Alfred that needs root/su access.  I used to do it with sudo and not require a password but decided to create the script with the set-user-ID bit instead.  The script runs fine from terminal when I execute it however, from Alfred it pops up with admin authentication box.  Is there a reason why this does not run in Alfred properly and is their a workaround.

 

The workflow simply calls the script:  /bin/bash cvo-enable.sh which contains the following system commands:

 

 

/usr/sbin/networksetup -setdnsservers Wi-Fi 10.0.0.1

/usr/sbin/networksetup -setsearchdomains Wi-Fi mydomain.com
 
 
-rwsr-xr-x@   1 root      wheel   736B Oct  1 14:03 cvo-enable.sh
Edited by mikedvzo
Posted

I'm actually surprised that OS X will let you run a script with the SUID bit set. Linux won't. I usually work around this by writing and compiling a tiny C program that calls the script and setting the SUID bit on that compiled program instead.

 

I've not tried it with Alfred, but it works fine from other OS X apps, which probably use the same mechanism to run processes.

 

Your wrapper would look something like this:

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>

int main()
{
    setuid( 0 );
    system( "/your/script/command/goes.sh --here" );
    return 0;
}

Obviously, this represents a potentially large security hole if your script can be edited/replaced.

Posted

It was a glitch in OS X I had changed my account to standard and rebooted and it worked fine but then I rebooted again an now it does not work in OS X.  Thanks for the code I wrote something like this a very long time ago in C for SGI but that was 1992 and I am by no means a programmer :-) 

Posted

The other option is to have  program that will allow me to run the script as another user that has Admin and Sudo Privileges so I only have to type the admin credentials once and not 3 times for each entry in my script.  

Posted

The other option is to have  program that will allow me to run the script as another user that has Admin and Sudo Privileges so I only have to type the admin credentials once and not 3 times for each entry in my script.  

 

You can give your regular account sudo access either with or without a password to specific commands. 

Posted

Thx Shawn I am trying to be much stricter with security moving forward as I never run a virus program so trying to avoid sudo.  The issue is that if I add myself to the sudoers file with a password the script running in workflow will look for password input and there will be no prompt to enter the password since it is running in a unix shell.  If I add myself to sudoers without a password I am susceptible to a "Rootpipe flaw".  

 

What I winded up doing was changing the shell commands to not use sudo and placed all the commands in one bash script file and created an AppleSript and saved it as a application and called that from Alfred.  The alfred script does a "do shell script "~/bin/RUN-SCRIPT" with administrator privileges" which makes OS X prompt for an admin password only once even if there are multiple commands requiring admin privileges.  

 

Thx for your help!

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...