Assistance with using security authorize or execute-with-privileges

Question

Hello good folks of SO,

I'm writing a shell script that will change certain system preferences, such as the HostName (scutil --set HostName), that require permissions elevation to process. The script will be run inside an app generated by Platypus.

As soon as my script calls scutil (for example) I'm, of course, getting the Security Server prompting me for authentication.

Looking at the man page of security there are two flags that interest me:

security authorize
security execute-with-privileges

Also from the man page I get an example:

security -q authorize -uew my-right | security -q authorize -i my-right

"Authorizing a right and passing it to another command as a way to add authorization to shell scripts."

How ever, I'm not getting what I want from this, and I suppose I just don't understand how to use it correctly. Does anyone have any additional insight? What I find when I search, makes me no wiser. I'd appreciate help with either:

1. Getting the script to prompt for credentials once, to run the entire script elevated.
2. Prompting for credential once, so that these then can be sent to the individual commands inside the script, that needs elevation.

Running the script with the Platypus flag Run with Administrator Privileges still ends up running the script with the $EUID not being 0 (zero).

I guess, means that the script is elevated somehow, but not running as root. This elevation, if working, doesn't seem to be enough to call scutil --set HostName x, because that command still asks for credentials.

If further clarification is needed, just holler!

Thanks in advance.

Best regards, Ted

Answer 1

I'm not familiar with using the security command line tool, or Platypus, but looking at the man pages for security, it seems to match Apple's programming interface from the Core Foundation, so I can explain a little from that point of view, assuming that the command line command is likely to use the same Core Foundation framework.

The function executeWithPrivileges is now deprecated and in order for a program to perform functions that require elevation, the program must factor out the elevated actions into another 'helper' program, which is registered with launchd. launchd is responsible for handling the actual execution and elevation of the helper app.

Your main application is also signed with the helper app, so only it can request for the helper app to run.

You can read more about this in the SMJobBless application documentation here.

Even though SMJobBless is written in Objective-C, and the helper in C, you may be able to use Platypus to use scripts instead, but it's not something I've tried myself, so you'll have to experiment.

As you can see from the documentation, calling the helper app is done using the URI (e.g. com.apple.calculator) for identifying the helper program, so it will need to be in an app bundle.

Hope that helps.