Macos – How to execute a command with admin privileges and access to files of the logged in user

macosprivilegessudo

I have some problems understanding sudo. I am logged in on a terminal as an non-admin/non-root user. This "normal" user is not in the sudoers file (and shouldnt be, in my opinion).

Now I try to execute a command that needs admin/root privileges and also access to directories of my normal user – therefore I am not able
to simply su into an admin or root user.

In my understanding sudo -u root should do the trick – however
it doesn't accept the password for root (or admin if I try with my normal
admin user). It only accepts the password of the "normal" user which seems
to indicate that the -u username option doesn't work the way I expect it to
work.

My expectation is that sudo -u root some_command executes some_command
with the privileges of root and therefore it asks also for the password of root.
Obviously not.

TL;DR: How do I execute any command that requires admin
privileges AND has access to the files of the "logged in (normal) user" without
adding the normal user to the sudoers file?

I have enabled the root user under Mac OS X 10.7.

Best Answer

sudo always requires the executing user's password (and requires that you have specific permissions to do this, i.e. are one of the sudoers).

su requires the password of the target account (root by default, but root account has no password on OS X by default). If you use su instead, you can enter the destination account's password and execute a command using that user's privileges.

su -c some_cmd # as root
su username -c some_cmd # as username

^{This works by passing all arguments after the user name to the destination account's login shell. Shells usually support -c <commands> arguments. In GNU coreutils su, there's an actual -c command argument to su that can be placed before the user name.}

You can su to another user account (using the other user account's password), and sudo from there, provided that other account is a sudoer.

If you want neither to enter another account's password, nor give your regular account sudoers permissions, you're pretty much out of options unless you consider SSH with key authentication or something like that.

Related Solutions

Ubuntu – How to run specific program with root privileges (Ubuntu OS) when no sudo user log into system

There are a few ways to do this. Ubuntu's graphical login is provided by GDM (or KDM if you're using Kubuntu). GDM is started by the Upstart subsystem.

The startup process follows these steps:

System boots. Upstart starts services, including GDM (/etc/init/gdm).
GDM starts, initializes the X-server (/etc/gdm/Init/*), and presents the GUI login window.
A user logs in.
1. PAM authorization happens (/etc/pam.d/gdm)
2. GDM runs PostLogin script (/etc/gdm/PostLogin/*).
3. GDM runs PreSession script (/etc/gdm/PreSession/*).
4. GDM runs Xsession and xinit scripts
  (/etc/gdm/Xsession, /etc/X11/xinit/xinitrc.d/*, /etc/X11/Xsession, /etc/X11/Xsession.d/*)
The user's desktop appears.

Where to run your script

Everything prior to XSession runs as root. /etc/gdm/Xsession and everything after runs as the user. This leaves you with three real options for where to run your script.

Modify GDM/KDM's PostLogin or PreSession scripts to run your program. The username is available in the USER or USERNAME environment variables.
Use PAM to execute your script. PAM will set the authorizing user in the PAM_USER environment variable. Add this to /etc/pam.d/gdm to kick off your script:
```
auth  required  pam_exec.so   /path/to/your/script
```
- You might be able to use PAM to match a particular user (as in this answer), so the script would only run for that user and wouldn't need to match users itself. I don't have the PAM expertise to explain how to do that.
Write an Upstart script to run your program. Your script would start at user login, so we look for the desktop-session-start signal emitted by GDM's PreSession script.

So an Upstart script would detect that signal as the run trigger:
```
# start when GDM's PreSession script runs
start on desktop-session-start
```
The signal from PreSession doesn't pass along the username, so you'd need to tweak the signal. In /etc/gdm/PreSession/Default, find the initctl line and change it to this. You could also use USERNAME in place of USER.
```
# add USER variable so Upstart script can find it
initctl -q emit desktop-session-start DISPLAY_MANAGER=gdm USER=$USER
```
See the manpages for Upstart and its starting event for more details.

How to avoid the Admin user

Your script will need to examine the user/username in the environment variables it gets from one of these methods and use that to determine whether to abort or continue. Standard shell-scripting methods will work. Depending on which starting location you chose from the above list, the username may be available in the USER, USERNAME, or PAM_USER environment variables.

Windows runas command with elevated privileges, user in admin group

Runas does not elevate commands due to UAC.

You can't run elevated commands in the run dialog either. You can download the "Elevation Powertoys" which allow you to elevate commands as elevate <i>command</i>

Or just use the start menu and press Ctrl + Shift + Enter.

Best Answer

Related Solutions

Ubuntu – How to run specific program with root privileges (Ubuntu OS) when no sudo user log into system

Windows runas command with elevated privileges, user in admin group

Related Question