Running scripts as admin on non-admin account

[blueice02]

Is there a way in OS X to be able to run a shell script that requires admin/sudo privileges on a non-admin account without presenting a prompt for the password? This is useful to us in an organizational setting. For instance, we have several scripts written that check for certain conditions at logon and make system level changes depending on the results--this one specifically checks against AD for membership in a Admin group. If they are it adds them to the local admin group, if not and they are in the local admin group it removes them from the local group.

The goal is to be able to run scripts remotely(from a server) or locally on a client machine silently in the background without needing or alerting the user. We pull this off in Windows without any issues.

Is our ultimate answer to this in the sudoers file? Or are there other alternatives?

 

[chrfr]

Is there a way in OS X to be able to run a shell script that requires admin/sudo privileges on a non-admin account without presenting a prompt for the password? This is useful to us in an organizational setting. For instance, we have several scripts written that check for certain conditions at logon and make system level changes depending on the results--this one specifically checks against AD for membership in a Admin group. If they are it adds them to the local admin group, if not and they are in the local admin group it removes them from the local group.

The goal is to be able to run scripts remotely(from a server) or locally on a client machine silently in the background without needing or alerting the user. We pull this off in Windows without any issues.

Is our ultimate answer to this in the sudoers file? Or are there other alternatives?

You would use LaunchDaemons if you need the script to run as root or LaunchAgents if the script would run for every user but as the user.
https://developer.apple.com/library...stemStartup/Chapters/CreatingLaunchdJobs.html
http://launchd.info
This is not something you'd do by editing sudoers.

 

[DennisBlah]

You can also run applescript as any user, and perform your shell scripts by applescript using

do shell script " " user name "admin" password "s3cr3t" with administrator privileges

You can compile the script into an application so the source wont be read-able.

 

[blueice02]

Both are excellent suggestions; I've been exploring the launch daemon approach, but I have a few follow up questions:

1. One of the tasks I'm trying to accomplish depends on being able to identify the current user logged in through a shell script. In most normal scenarios this works well; however, if there are multiple users logged in this falls apart and I haven't yet been able to find a reliable method to identify the current active user.

To be more specific, I have this task set to run as a global daemon every 5 minutes. If only 1 user is logged on I have no issue retrieving that user name. If more than one user is logged in, almost every method I have found or come across to get the user name is inconsistent: sometimes it will return the user who is actively logged in, other times it will return the other user who is signed in, but not active.

Has anyone found a reliable method to determining the current, active user?

2. On the topic of launch daemons...global daemons run within in the root user, correct? Within a shell script being run by a daemon, do I still need to include sudo for certain commands or do I simply just need to set sudo as an argument in the daemon definition plist?

Thanks again for all the help guys!