We ran into a problem when trying to install Homebrew on macOS using a Custom Action in our install4j installer. Before executing the Homebrew installation script, we request admin privileges as shown in the logs below (the user that runs the installer is an Administrator). However, the installation script does not seem to be executed as an admin, it fails with the error message Need sudo access on macOS (e.g. the user xxx needs to be an Administrator)!.
Our Custom Action has the elevation type "Elevate to maximum available privileges", shouldn't this lead to the action using admin privileges?
[INFO] com.install4j.runtime.beans.actions.misc.RequestPrivilegesAction [ID 22]: Execute action
Property linuxPrivilegeRequirement: None
Property allRequested: true
Property failIfNotObtainedLinux: false
Property failIfNotObtainedMac: true
Property failIfNotObtainedWin: true
Property failIfNotRootUnix: true
Property obtainIfAdminMac: true
Property obtainIfAdminWin: true
Property obtainIfNormalMac: true
Property obtainIfNormalWin: true
Property rollbackSupported: false
Property updateInstallationDirectory: true
args: ...
Execute action successful after 7597 ms
[INFO] com.example.HomebrewInstaller [ID 161]: Using communication backend com.install4j.runtime.installer.platform.unix.PipeCommunicationBackend
Execute action
Property context: null
Property rollbackSupported: false
Executing commands: [/bin/zsh, -c, NONINTERACTIVE=1 /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"]
Output: ==> Running in non-interactive mode because `$NONINTERACTIVE` is set.==> Checking for `sudo` access (which may request your password)...Need sudo access on macOS (e.g. the user xxx needs to be an Administrator)!
Execute action successful after 312 ms
The elevated helper process in install4j runs as root. It looks like Homebrew does not want to run as root. You would have to wrap the sudo calls in the installer into a graphical sudo like described here:
https://stackoverflow.com/a/3034671/936832
and run the "Run executable action" without elevated privileges.
I tested this directly in Terminal.
As root, the Homebrew installer would be executed with root privileges, which is not allowed. As an admin user, you cannot run the Homebrew installer with sudo either - same effect as run as root.
As the Homebrew installer needs admin privileges and has to run some commands with sudo, sudo must be "active".
You can, directly before issuing the install.sh command, use a harmless command with sudo. Like
sudo echo Hello
sudo will then be active for a predefined while and will then be revoked again. Within this time, any sudo commands won't need another password entered.
If you run the Homebrew install.sh directly afterwards, no issues occur.
I tested this with NONINTERACTIVE=1 and it worked.
I am now searching for a way to pass the admin password safely to a script to make the install process completely non interactive...
Related
I am using MacOS Catelina and i often have to run my terminal stuff with sudo otherwise they fail. like when i use Visual Studio and IONIC to add stuff to global or when it tries to create dir etc.
Is there a way to change the logged in user to run elevated commands in terminal without sudo ?
You either continue using sudo or switch current user to root (it's not a recommended way)
The user account named ”root” is a superuser with read and write
privileges to more areas of the system, including files in other macOS
user accounts. The root user is disabled by default. If you can log in
to your Mac with an administrator account, you can enable the root
user, then log in as the root user to complete your task.
The root user account is not intended for routine use. Its privileges
allow changes to files that are required by your Mac. To undo such
changes, you might need to reinstall your system software. You should
disable the root user after completing your task.
It's safer to use the sudo command in Terminal instead of enabling the
root user. To learn about sudo, open the Terminal app and enter man
sudo.
Taken from https://support.apple.com/en-us/HT204012
As you may see by the image below, I changed the ownership of my emerald_setupscript to root:root and also set the SUID.
It happens that when I install the gem and check this script, it belongs to edvaldo:edvaldo (my user name) and has no SUID at all!
I don't know exactly what is happening, but this script makes changes to /etc/hosts and also creates some firewall rules. This requires root privileges.
So, my questions are:
What am I missing in this case of the SUID?
How must I proceed to make sure the gem executable will have the SUID set?
Of course I know I could ask the user to run this script using
$ sudo emerald_setup
but this would lead me to another problem, since the gem executable is installed in user space and its location is NOT in superuser's path and setting this (guess what?!) requires superuser privileges.
Any suggestions?
You cannot pack up a program/script with suid privileges in a gem (or even a tarball) and have those privileges be restored when unpacking as a regular user. At some point, whoever installs your gem is going to have supply the password for root access. You could arrange for this to happen when the gem is installed by having the :install target of the gem Rakefile run a script which would prompt the user for su(do) password and then use sudo to run the commands that need to be run as root, though.
When reading about Jenkins installation, many guides talk about that the installer created a user called 'Jenkins' on OS X. This user seems to be important for certain tasks.
However, installing Jenkins 2.32 using homebrew does not install this user here. Why is that - am I missing something?
Background: I want to run CI for iOS together with a Gitlab server.
Jenkins installed via Homebrew is kind of a mess - and I say this because it isn't terribly obvious in the log output where/who gets permissions.
Jenkins DOES NOT create a jenkins user on Mac OS (nor should it ever, imo).
By default, the user that was actively using brew install jenkins is the one who will get the default permissions. There should be a /.jenkins folder within that users home folder (ex: /Users/<your_user>/.jenkins)
The problem is that when brew finishes running, some files that should get symlinked to the active user don't - so you might create a job using rvm/ruby for example, and get errors that bundler can't write to the system ruby.
Try this in terminal/iTerm:
sudo chown whoami /Library/LaunchDaemons/homebrew.mxcl.jenkins.plist
also whoami should be surrounded by ticks `
I tend to just do these commands after a brew install jenkins
ln -sfv /usr/local/opt/jenkins/*.plist ~/Library/LaunchAgents
Symlink the Jenkins plist files to /Library/LaunchAgents
sudo cp -fv /usr/local/opt/jenkins/*.plist /Library/LaunchDaemons
Copy plist files to /Library/LaunchDaemons
sudo chownwhoami/Library/LaunchDaemons/homebrew.mxcl.jenkins.plist
Give sudo ownership of the plist file listed to the user outright
This part isn't necessary...
launchctl unload ~/Library/LaunchAgents/homebrew.mxcl.jenkins.plist
launchctl load ~/Library/LaunchAgents/homebrew.mxcl.jenkins.plist
Here's something to refer to:
http://flummox-engineering.blogspot.com/2016/01/installing-jenkins-os-x-homebrew.html
I am building an application installer that installs postgresql 9.x in the "unattended" mode. The main script copies the application files into place, then installs postgres via installbuilder.sh. The main script is invoked with admin privileges. I invoke the pg installer in the script as follows:
log "=== install DBMS engine ==="
./postgresql-9.1.2-1-osx.app/Contents/MacOS/installbuilder.sh --mode unattended --superaccount postgres --superpassword MySecretWord
On Mac OS X 10.7 "Lion", the pg installer runs along for a bit then fails out. The bitrock-installer.log contains the following statements:
Preparing to Install
Executing su - postgres -c "\"/Library/PostgreSQL/9.1/bin/pg_ctl\" stop -m fast -w -D \"/Library/PostgreSQL/9.1/data\""
Script exit code: 1
Script output:
Script stderr:
su: unknown login: postgres
At this point, the system, osx 10.7, has a user account "PostgreSQL" but not one named "postgres". After the error in the log are two more errors involved launchd then all subsequent scripts complete normally.
It appears I need to add the postgres group and user prior to installing postgres, but I wonder if that is really the issue.
I have seen advice to modify the PostgreSQL user name, but that is after the installation has run, and that is a bit untidy.
Is adding an account "postgres" the correct thing to do?
Reinstall postgress using macports
I am trying to run a bash script on a MacOSX Node (master is on windows) through hudson,
but get 'Operation not permitted' when script invokes sudo command (su as well).
I added the following line to
/etc/sudoers:
'user' ALL:(ALL) NOPASSWD: ALL
'user' is logged on the Mac Node, java agent started with the same user.
still getting this error...
any idea ?
Is it possible your syntax is wrong? On my OSX 10.6 I have:
username ALL=(ALL) NOPASSWD: ALL
Note the equals vs. colon. I have no problem running sudo tasks either with Hudson or from command-line.