I need to be able to change a user's password from a cron task or from an ssh session. Is there an easy way to do that with a bash script? If not, what's the easiest way to do it in Cocoa?
Apple introduced CSIdentitySetPassword API in Mac OS 10.5 that allows to change password as follows:
#import <Collaboration/Collaboration.h>
AuthorizationRef authRef = NULL; // You have to initialize authRef
CBIdentityAuthority *authority = [CBIdentityAuthority defaultIdentityAuthority];
CSIdentityRef identity = [CBIdentity identityWithName:user authority:authority].CSIdentity;
if (CSIdentityGetClass(identity) == kCSIdentityClassUser) {
CSIdentitySetPassword(identity, (__bridge CFStringRef)newPassword);
CSIdentityCommit(identity, authRef, NULL);
}
AuthenticationRef can be initialized like int this response.
Use the passwd shell command.
Related
IOCreatePlugInInterfaceForService failed w/ kIOReturnNoResources/0xe00002be
I am rewriting old FireWire based command line utility into XPCService. I need some help about an IOKit function.
Following part is to get IOCFPlugInInterface for FireWireAVCLibUnit.(almost same as original code; basic idea comes from legacy simpleAVC samplecode).
When I call IOCreatePlugInInterfaceForService() in the XPCService, it always failed returning 0xe00002be = kIOReturnNoResources in IOReturn.h.
I have confirmed no sandbox, no hardened for the XPC Service.
Original command line utility works perfectly on macOS 10.14 though, would you someone give me a hint on this topic?
CFDictionaryRef dict = CFDictionaryCreateCopy(kCFAllocatorDefault, self.dict);
kern_return_t result = IOServiceGetMatchingServices(kIOMasterPortDefault, dict, &serviceIterator);
if (result == KERN_SUCCESS && serviceIterator != IO_OBJECT_NULL) {
while ((service = IOIteratorNext(serviceIterator)) != IO_OBJECT_NULL) {
SInt32 score = 0;
kern_return_t result = IOCreatePlugInInterfaceForService(service,
kIOFireWireAVCLibUnitTypeID,
kIOCFPlugInInterfaceID,
&interface,
&score);
if (result != KERN_SUCCESS) continue;
// result 0xe00002be = kIOReturnNoResources in IOReturn.h
break;
}
}
Additional details
I have find IOCFPlugIn.c in opensource.apple.com. After basic verification,
- IOCreatePlugInInterfaceForService() failed to IOCFPlugIn->Start() .
(*iunknown)->QueryInterface(iunknown, CFUUIDGetUUIDBytes(interfaceType),
(LPVOID *)&interface);
<snip>
kr = (*interface)->Probe(interface, plist, service, &score);
<snip>
haveOne = (kIOReturnSuccess == (*interface)->Start(interface, plist, service));
Probe() returned kIOReturnSuccess though,
Start() failed w/ kIOReturnNoDevice = 0xe00002c0. and haveOne = false.
Finally IOCreatePlugInInterfaceForService() returned kIOReturnNoResources = 0xe00002be.
Is this related to some security feature on macOS?
MODIFIED
I have found hardened runtime with Camera access was rejected FireWireAVCLibUnit (tccd shows error).
Even if no sandbox, no hardened for the XPC Service in Xcode was checked, XPCservice is handled via sandbox. (macOS 10.14.6 + Xcode 10.3)
I would appreciate if you have an advice.
I have found the solution.
- Add NSCameraUsageDescription in Info.plist, and IOFireWireAVCUserClient will work.
- If sandboxed, com.apple.security.device.firewire is also required.
Even if capabilities-sandbox is off, tccd verify info.plist.
If “Privacy - Camera Usage Description” is not available, sandboxd reject to use IOFireWireAVCUserClient device.
Information Property List Key Reference/Cocoa Keys
This is my first time writing in Swift, Cocoa (have experience in Cocoa Touch), and using Authorization, so I honestly have no idea if I am even on the right track. I am trying to make a modification to the hosts file, which requires user authentication, but both the AuthorizationCreate and AuthorizationExecuteWithPrivileges methods are giving errors.
var authorizationRef:AuthorizationRef
var status:OSStatus
status = AuthorizationCreate(nil, environment:kAuthorizationEmptyEnvironment, flags:kAuthorizationFlagDefaults, authorization:&authorizationRef)
let overwrite_hosts = "echo \(hostsContents) > /private/etc/hosts"
let args = [overwrite_hosts.cStringUsingEncoding(NSUTF8StringEncoding)]
status = AuthorizationExecuteWithPrivileges(authorizationRef, pathToTool:"/bin/sh", options:kAuthorizationFlagDefaults, arguments:args, communicationsPipe:nil)
Me calling AuthorizationCreate is throwing "Type '()' does not conform to protocol 'AuthorizationRef'" and my call of AuthorizationExecuteWithPrivileges is throwing "Could not find an overload for '__conversion' that accepts the supplied arguments"
Any ideas? Am I approaching this incorrectly?
Thanks for any help!
I was able to figure out how to do it via AppleScript, but you should be able to do it using the Authorization method I was trying before, therefore leaving this question open. Anybody looking for a quick solution (no error checks implemented) you can use what I wrote below:
func doScriptWithAdmin(inScript:String) -> String{
let script = "do shell script \"\(inScript)\" with administrator privileges"
var appleScript = NSAppleScript(source: script)
var eventResult = appleScript.executeAndReturnError(nil)
if !eventResult {
return "ERROR"
}else{
return eventResult.stringValue
}
}
I want to create application that use admin password to run some scripts in bash. For example:
echo **pass** | sudo -S reboot
What is the best way to get it.
I looked this tutorial, and all of what I understood - it is how to run authorization window.
AuthorizationRef authRef= NULL;
AuthorizationItem right = { "com.my.app", 0, NULL, 0 };
AuthorizationRights rightSet = { 1, &right };
OSStatus status;
if (AuthorizationCreate(
NULL,
kAuthorizationEmptyEnvironment,
kAuthorizationFlagDefaults,
&authRef) != errAuthorizationSuccess)
{
NSLog(#"Could not create authorization reference object.");
}
status = AuthorizationCopyRights(authRef, &rightSet, kAuthorizationEmptyEnvironment,
kAuthorizationFlagDefaults |
kAuthorizationFlagPreAuthorize |
kAuthorizationFlagInteractionAllowed |
kAuthorizationFlagExtendRights,
NULL);
Is there a way to get password after this steps?
Or all of this wrong - and exist another way?
Thanks!
You cannot (and should not) get the actual password. The OS doesn't even know what it is. This is on purpose. As you note, you should create a small helper program whose privileges you can escalate.
If at all possible, you should avoid the shell entirely. It is very fragile. It is much better to write a pure C/ObjC program that does just what you want and elevate its privileges.
I recall there being a Cocoa framework or AppleScript dictionary to check if an Application bundle with a specific name is installed at all, anywhere on the computer.
How do I do this? Either Cocoa, AppleScript, or command line are useful to me.
You should use Launch Services to do this, specifically the function LSFindApplicationForInfo().
You use it like so:
#import <ApplicationServices/ApplicationServices.h>
CFURLRef appURL = NULL;
OSStatus result = LSFindApplicationForInfo (
kLSUnknownCreator, //creator codes are dead, so we don't care about it
CFSTR("com.apple.Safari"), //you can use the bundle ID here
NULL, //or the name of the app here (CFSTR("Safari.app"))
NULL, //this is used if you want an FSRef rather than a CFURLRef
&appURL
);
switch(result)
{
case noErr:
NSLog(#"the app's URL is: %#",appURL);
break;
case kLSApplicationNotFoundErr:
NSLog(#"app not found");
break;
default:
NSLog(#"an error occurred: %d",result);
break;
}
//the CFURLRef returned from the function is retained as per the docs so we must release it
if(appURL)
CFRelease(appURL);
From the command line this seems to do it:
> mdfind 'kMDItemContentType == "com.apple.application-bundle" && kMDItemFSName = "Google Chrome.app"'
You can also use lsregister.
on doesAppExist(appName)
if (do shell script "/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/Support/lsregister -dump | grep com.apple.Safari") ¬
contains "com.apple.Safari" then return true
end appExists
That's pretty fast and you can do it from other languages like Python quite easily. You would want to play around with what you grep to make it most efficient.
I'm attempting to write a launchd agent that runs a simple application for every user that logs in to the Mac OS X system.
I have created a file named com.mycompany.myapp.plist and placed it in /Library/LaunchAgents. The contents of that file are:
{
LimitLoadToSessionType = "Aqua";
StartInterval = 10;
OnDemand = NO;
KeepAlive = YES;
RunAtLoad = YES;
Label = "com.mycompany.myapp";
Program = "/Users/thomi/myapp";
ProgramArguments = (
"/Users/thomi/myapp",
"-l",
"-d",
);
}
Initially I didn't have the StartInterval key set, since I thought the agent would start automatically. The problem is that the agent does not start unless I manually issue the following two commands:
launchctl load -S Aqua -D all
launchctl start com.mycompany.myapp
Firther, when I run launchctl list com.mycompany.myapp I get the following output:
{
"Label" = "com.mycompany.myapp";
"LimitLoadToSessionType" = "System";
"OnDemand" = true;
"LastExitStatus" = 0;
"TimeOut" = 30;
"Program" = "/Users/thomi/myapp";
ProgramArguments = (
"/Users/thomi/myapp",
"-l",
"-d",
);
};
Notice that the LimitLoadToSessionType parameter has changed.
Am I missing something here? Is there a different mechanism to start agents like this? Why has the LimitLoadToSessionType property changed?
Not sure if it's the problem, but I think you shouldn't be specifying both OnDemand/RunAtLoad and KeepAlive together. As I understand the documentation, the KeepAlive key replaces the OnDemand/RunAtLoad combo.
http://developer.apple.com/mac/library/technotes/tn2005/tn2083.html#SECCODINGRECOMMENDATIONS
Found the problem - apparently launchd doesn't work properly with the old-style plist files. It loads OK, but won't run anything. Re-creating the above file as a new-style XML file solved the issue.