OSX UNIX ADD FILES PRIVILEGES TO SPECIFIC USER - macos

I have a deep directory called root,with a lot of folders,each folder is set with different permissions and there're several users registered in the system.In the subfolders of root these users have different privileges and i don't want to change them,but i need to give to the admin user rwx permissions on all files and subdirectories in root.I can do that manually by using the get info menu with the second mouse button on each file that is still not with rwx permission for the admin user but that would require too much time.So the question is,how can i give permissions on a folder recursively to a specific user without changing files and folders owners and permissions for other users?is there no way to do something like
chmod -R specific_user=rwx root_directory
?

On the Mac, login as Local Admin and at the Terminal, run:
sudo dseditgroup -o edit -a [username] -t user admin
Where [username] is the user you want to give admin permissions.
For example if the username was "User1", then the command would be:
sudo dseditgroup -o edit -a User1 -t user admin
http://community.centrify.com/t5/Centrify-Express/OSX-give-an-Ad-User-local-admin-permissions/td-p/8022

Related

macOS terminal asking for password every time I run copy command

I'm running a bash command on mac that moves a file to private/etc/app_name/.
sudo cp my_file.cpp private/etc/app_name/
Every time the I want to run the bash file, the OS asks for my system password.
> ./run_copy.sh
Password: *******
Is there a way to by-pass this or configure in such way that I only have to enter the password once.
Apparently, on my Macbook, I see /etc directory having symlinks with the /private/etc directory which is owned by the wheel group & root is part of that group. So, you would need to use sudo to copy to that directory.
With that said on a Linux machine, you can work around this by adding your group to a new file in the /etc/sudoers.d/<group-name> path.
<grp-name> ALL=(ALL) NOPASSWD:ALL
I've just tried this on my mac, I could copy files onto /private/etc directory without entering the sudo password prompt.
Unfortunately, this comes up with some risks as users of your group get privileged access without entering any password prompt. You might accidentally delete important system files etc.,
A more niche approach could be to allow selectively like <group> ALL = (ALL) NOPASSWD: /usr/local/bin/copy-script. This way, they can't run all scripts/commands with sudo privileges.

Give same access to folders/files for multiple users

I need to manage multiple ssh users for different Heroku accounts, explained here. I've created different users and logging in to Heroku with those works fine. These are the users I have:
computer_owner (admin rights)
user1 (admin rights)
user2 (admin rights)
But I want user1 and user2 to share the same files and folders as computer_owner, i.e. all folders/files. Is this possible and if so, how do I do this?
OS X is a UNIX compliant operating system. If you set the rights on files and folders correctly, you can provide access to all of the users. There's a tutorial here on how to manage the access rights and many more around if you search for something like "Unix Permissions"
Ideally, create a separate group using dscl and add the required members. Next, set the files to be owned by that group and each will have access to those files
So, an example would be something like this: -
# create the group
sudo dscl . create /Groups/heroku_ssh
# add members
sudo dscl . append /Groups/heroku_ssh GroupMembership computer_owner
sudo dscl . append /Groups/heroku_ssh GroupMembership user1
sudo dscl . append /Groups/heroku_ssh GroupMembership user2
Assuming a directory called testDirectory: -
# set full permissions for the owner and group
# 770 is read, write and execute for owner and group
sudo chmod -R 770 testDirectory
# set ownership of a file
sudo chown -R computer_owner:heroku_ssh testDirectory
This sets the owner to be the user computer_owner and the group heroku_ssh, so the owner and any member in the group can access the files in testDirectory

Setting Lasso 9 permissions

I'm attempting to configure a OSX Mavericks server running Apache and Lasso. For security and convenience I only want users belonging to a specific "web" group to be able to access the web root. I have succeeded in letting both permitted regular users and Apache (_www) access the files, but I cannot for my life manage to set the correct permissions for Lasso. I'm hoping someone here can point me in the right direction.
Basically, what I have done is the following:
sudo dseditgroup -o create web
sudo dseditgroup -o edit -a _www -t user web
sudo dseditgroup -o edit -a _lasso -t user web
sudo chgrp -R web webroot
sudo chmod -R 770 webroot
This apparently works for Apache, but any lasso files merely output a Lasso permission error:
An unhandled failure during a web request
Error Code: 13
Error Msg: Permission denied - While opening //Library/Server/Web/Data/Sites/...
I have also tried adding the _www and _lasso groups to the web group, as well as creating a new Lasso instance in the instance manager with the effective group set to "web".
Strangely, setting permissions to the _lasso user or group directly on the files (i.e. not through the web group) seems to work which makes me believe there's something wrong with how I'm creating my ACLs.
A little more info:
ls -l#e example.lasso
-rwxrwx---+ 1 danielpervan web 0 Feb 19 15:20 example.lasso
0: user:_spotlight inherited allow read,execute
I've encountered problems similar to this when I have ACLs above and beyond the standard Unix permissions. From your post, it looks like there are some ACLs on the example.lasso file. I would run the following script on your web root to remove all ACLs from every folder / file:
sudo chmod -R -N /path/to/webroot/
If that doesn't work, verify that the _lasso user is part of the web group:
dscl . -read /groups/web | grep GroupMembership

How to overwrite the asking for authentication when running an admin shell script in Apple Script?

I'm wanting to make a simple program that runs each time on login behind the UI. In my applescript I'm running a sudo command that requires admin authentication. Is there a way to overwrite the need for authentication each time it runs? I don't want to have to type my username and password each time this script runs after login. any help? (and in very simple terms to as I'm a novice.)
Much Thanks!
You can put your username and password in the applescript command so that it doesn't ask for those credentials. However note that these items are stored as plain text inside the applescript and thus it's possible for others to see them. It's not really secure but it's up to you to decide if it's safe. NOTE: you don't need "sudo" in the command any longer.
do shell script "whatever" user name "username" password "password" with administrator privileges
There are methods where you can store your password in the Keychain and retrieve it from the applescript, thus making it secure. If you want to do that then you create the password item as follows.
Open Keychain Access application and select the keychain in the left column. Then click File>New Password Item..., give it a name, put your account shortname in account, and enter the password. Highlight it in the password list and get information on it. Under the Attributes button enter its kind as generic key. This is chosen because there aren't many of them and the search is much faster. Whatever name you give to it must be put in the code below in "Your Password Name".
Now from applescript you can use it like this...
set myPass to getPW()
do shell script "whatever" user name "username" password myPass with administrator privileges
on getPW()
do shell script "security 2>&1 >/dev/null find-generic-password -gl \"Your Password Name\" | awk '{print $2}'"
return (text 2 thru -2 of result)
end getPW
Good luck!
Another solution is editing the
etc/sudoers
configuration file.
A setting on that file can allow a specific user to execute a specific commands (with... yes... specific parameters) as super user.
If the command itself is not the problem, but the problem is exposing the password in the code then this may be the solution.
The sudores file should be edited running the command visudo as super user.
Before you start tampering with sudoers I strongly suggest you to get a basic knowledge of visudo and the sudoers syntax, as messing that file may causes serius issues to the system.
As you know what you are doing is just a matter of adding a couple of lines.
For information you may Google or start here http://www.sudo.ws/sudoers.man.html
If you want all Administrator accounts to be able to use the sudo command without entering a password, then do the following.
Change the line shown below in the /private/etc/sudoers file from
%admin ALL=(ALL) ALL
to
%admin ALL=(ALL) NOPASSWD: ALL
This edit can be accomplished, by using the Terminal and TextEdit applications. Open the Terminal application and type the following commands:
cd ~/desktop
sudo cp -n /etc/sudoers /etc/sudoers.orignal
sudo cp /etc/sudoers sudoers.txt
sudo chmod ug+w sudoers.txt
open sudoers.txt
visudo -c -f sudoers.txt
sudo cp -X sudoers.txt /etc/sudoers
When done, the sudoers.txt file on your desktop can be put in the trash.
To undo your changes, use the command:
sudo cp /etc/sudoers.original /etc/sudoers
This was tested using OS X 10.10.1
If you want to do the same for a single user then see:
http://hints.macworld.com/article.php?story=20021202054815892
Below is a brief explanation of what each command does:
cd ~/desktop
This makes sure you are working from your desktop folder.
sudo cp -n /etc/sudoers /etc/sudoers.original
This backups your sudoers file. The backup can be used to undo your changes. The -n option insures that an existing sudoers.original file will not be overwritten.
sudo cp /etc/sudoers sudoers.txt
Copies the sudoers file to your desktop. The .txt extension is added so OS X will know this is a text file.
sudo chmod ug+w sudoers.txt
Changes the file’s permissions to allow write access.
open sudoers.txt
Opens the file in the TextEdit application. You need to edit the file and save the changes.
visudo -c -f sudoers.txt
Checks the edited file for syntax errors. The output should be sudoers.txt: parsed OK.
sudo cp -X sudoers.txt /etc/sudoers
Copies the file back to the /etc directory.

Error due to encryption in the command "cp -R /Users/me/cs_project /Users/cs/"

Problem: to copy a directory tree from the "me" master user to the encrypted harddrive of the "cs"-user:
su cs
bash-3.2$ cp -R /Users/me/cs_project /Users/cs/
cp: /Users/cs/cs_project: Permission denied
cp: /Users/me/cs_project/h_mark: unable to copy extended attributes to /Users/cs/: Permission denied
cp: /Users/cs/: No such file or directory
...
Question: How can I copy my project of the master user "me" to my other user "cs"?
New information about the Encryption
I got the suggestions working with other users, but not with the origal users. The problem is that the 'cs' user has Mac's SafeVault encryption.
Is the "me" user an administrator? If so, you can log in as me, then manually mount cs's home image with:
sudo hdiutil mount /Users/cs/cs.sparsebundle
cp -R /Users/me/cs_project /Volumes/cs/
Notes: the sudo command will ask for me's password, and then hdiutil might pop up a GUI dialog asking for the FileVault master password; you can either supply this (if you know it), or hit the cancel button and enter the encryption password (i.e. cs's password) in the CLI when it prompts for that. Also, the image should mount with file ownership ignored, meaning that you don't have to sudo the cp command (OTOH, the permissions may come out a little weird on the copied files, so expect to clean them up afterward).
Alternately, you could take the easy way: log in as me, copy/move the files to some public location, set the permissions on them to grant cs read access, then log in as me and copy them.
You need to set permissions. The easiest thing is probably:
$ su me
$ chmod -R o+r /Users/cs/cs_project
Whatever user you're running this command under needs permission to read (and search dirs, i.e. the x permisison bit) throughout the tree rooted at /Users/me/cs_project and for course permission to write in /Users/cs. You can change permissions as needed with command chmod.
try sudo cp -R /Users/me/cs_project /Users/cs/

Resources