Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

macOS Provide Admin Privilege to other users

Tejashree

Tejashree

macrumors newbie
Original poster
Feb 23, 2009
5
0
Hello,

In my application, I want a feature where user can delete some system privileged files. To achieve this, user need admin privileges i.e. user need to enter admin username and password.

My question - Is there any other way to provide the admin privilege to the user, if user doesn't know the admin username and password.

Please guide.

I have also read previous discussions on this topic
( https://forums.macrumors.com/threads/658751/ ) and understood that user has to know admin credentials to perform this task.


Thanks,
Tejashree.
 
You can but...

It involves messing with system files (as the admin).

You edit the sudoers file to allow the command nessesary to run (in this case the delete command) as a non admin. It would require the app to run the delete command in unix not the GUI though. Or you could write a shell script (set this command as anybody can run it[with or without their password your choice])with an applescript launcher that launches the app as root. I did this with my fan controller. I have almost forgotten I did that.
 
If it didn't require the user to know the admin credentials then I would consider it malicious software.
 
Thanks a lot for all the suggestions.

I am desperately want to find out the Best possible solution for this problem.

For editing sudoer file, user will need admin credentials and this will not be my application specific. It will affect all the users throughout the system.

I want to delete privileged files without providing admin credentials, as my user doesnt know admin username and password.

Please help if this is possible by any way.

Thanks,
Tejashree.
 
Tejashree said:
For editing sudoer file, user will need admin credentials and this will not be my application specific. It will affect all the users throughout the system.
Click to expand...

In sudoers give your app admin privileges?


Here is mine:
Code: 
# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#

# Host alias specification

# User alias specification

# Cmnd alias specification

# Defaults specification
Defaults	env_reset
Defaults	env_keep += "BLOCKSIZE"
Defaults	env_keep += "COLORFGBG COLORTERM"
Defaults	env_keep += "__CF_USER_TEXT_ENCODING"
Defaults	env_keep += "CHARSET LANG LANGUAGE LC_ALL LC_COLLATE LC_CTYPE"
Defaults	env_keep += "LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME"
Defaults	env_keep += "LINES COLUMNS"
Defaults	env_keep += "LSCOLORS"
Defaults	env_keep += "SSH_AUTH_SOCK"
Defaults	env_keep += "TZ"
Defaults	env_keep += "DISPLAY XAUTHORIZATION XAUTHORITY"
Defaults	env_keep += "EDITOR VISUAL"

# Runas alias specification

# User privilege specification
root	ALL=(ALL) ALL
%admin	ALL=(ALL) ALL
%admin 	ALL=(ALL)	NOPASSWD: /bin/g4fancontrol

# Uncomment to allow people in group wheel to run all commands
# %wheel	ALL=(ALL)	ALL

# Same thing without a password
# %wheel	ALL=(ALL)	NOPASSWD: ALL

# Samples
# %users  ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users  localhost=/sbin/shutdown -h now


This allows the app g4fancontrol in /bin/g4fancontrol to be run without password for all admins.
Code: 
%admin 	ALL=(ALL)	NOPASSWD: /bin/g4fancontrol

If your app is called Test and it is a GUI app in /Applications to allow all users (non admins) you would add the line to the file

Code: 
%users	/Applications/Test.app/Contents/Resources/Test	NOPASSWD: /Applications/Test.app/Contents/Resources/Test
to allow the app admin privileges without passwords.

Replace %users with a short name (the one all lowercase without spaces) of the user you want.
 
dmmcintyre3 said:
In sudoers give your app admin privileges?
Click to expand...

Editing the sudoer file requires knowing the admin credentials, which the OP states the users don't have.


If the users don't have admin privileges, then they shouldn't be able to affect system files because that goes against all of the security of the machine. What you're wanting to do is compromising the security of the system. Anything that gets around this is a hole in Apple's OS and would need to be fixed.
 
angelwatt said:
Editing the sudoer file requires knowing the admin credentials, which the OP states the users don't have.


If the users don't have admin privileges, then they shouldn't be able to affect system files because that goes against all of the security of the machine. What you're wanting to do is compromising the security of the system. Anything that gets around this is a hole in Apple's OS and would need to be fixed.
Click to expand...

He (the admin) could do it then the reg users could do what his program wants to do.

(there was an old exploit that anybody could gain admin but it is patched)
 
Hello Thanks a lot for all the suggestions and help.

Finally, I have implemented (the deletion of privilege files) using very simple and standard technique i.e. Authorization mechanism with AuthorizationExecuteWithPrivileges API.

This is working very perfectly for all the files except 2. Those are:-

/System/private/var/log/secure.log
/System/private/var/log/system.log

My application try to delete these files. Immediately after executing my application, I am checking the status of these files from terminal using command "ls -l".
Terminal shows the latest time as a creation time.
I am not able to check/find out whether these were deleted by my application and created again or only modified by my application.

I also find out that these can be deleted from terminal using command "sudo rm -rf /private/var/log/secure.log" But I am not able to do this in my code.

Please guide how to delete these 2 files from my application.

Thanks,
Tejashree.
 
Tejashree said:
Hello Thanks a lot for all the suggestions and help.

Finally, I have implemented (the deletion of privilege files) using very simple and standard technique i.e. Authorization mechanism with AuthorizationExecuteWithPrivileges API.

This is working very perfectly for all the files except 2. Those are:-

/System/private/var/log/secure.log
/System/private/var/log/system.log

My application try to delete these files. Immediately after executing my application, I am checking the status of these files from terminal using command "ls -l".
Terminal shows the latest time as a creation time.
I am not able to check/find out whether these were deleted by my application and created again or only modified by my application.

I also find out that these can be deleted from terminal using command "sudo rm -rf /private/var/log/secure.log" But I am not able to do this in my code.

Please guide how to delete these 2 files from my application.

Thanks,
Tejashree.
Click to expand...

I would like to hear an explanation why you would want to delete this files. The only two that come to mind are: 1. Your application does something it shouldn't that turns up in the log files and you have some stupid marketing people in your back who don't want users to see this. 2. You are trying to write a Trojan and want to cover up what it is doing.

I'd like to see a different reason, but I think I would consider any application that deletes log files to be malware.
 
I am creating a disk cleaning software on my MAC.

Please guide.

Thanks,
Tejashree.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back