# Admin priveleges in AppleScript



## Mikuro (Apr 21, 2005)

What's the best way to go about having an AppleScript acquire _and retain_ administrator priveleges for use in shell scripts? I need to execute many admin-level shell scripts, and I only want the user to need to enter their password once.

Here are the details:

I have an AppleScript that executes certain shell scripts repeatedly (using the "do shell script" command). Some of these shell scripts require admin priveleges. The Do Shell Script command lets me say "with administrator priveleges", but if I do that, then I need to enter my password every time it needs to execute a shell script (which is absolutely unacceptable, since this is a background script which should be completely transparent).

Now, I know I can pass a specific password to the Do Shell Script command. This works, but I don't know how to ask for the user's password to begin with, and in a secure way. If I do _display dialog "Enter your administrator password:" default answer ""_, the user's input won't be asterisk'd out, and I'm also afraid storing the admin password in such a way wouldn't be very secure (am I wrong?).

Any advice on how I should go about this?


----------



## davidbrit2 (Apr 25, 2005)

Here's the source code of a simple Bluetooth internet sharing script I downloaded from somewhere. It only asks for the password once.


```
do shell script "sudo /usr/sbin/pppd /dev/tty.Bluetooth-PDA-Sync 115200 noauth local passive proxyarp asyncmap 0 silent persist :10.0.1.201 &" with administrator privileges
do shell script "sudo /usr/sbin/sysctl -w net.inet.ip.forwarding=1"
do shell script "sudo /usr/sbin/natd -same_ports -use_sockets -log -deny_incoming -interface en1"
do shell script "sudo /sbin/ipfw add divert natd ip from any to any via en1"
```


----------



## Mikuro (Apr 25, 2005)

Thanks! That method works. Unfortunately, there are a couple gotchas when using it with always-running backround scripts like mine.

The first gotcha is that it will only retain admin privileges for a certain amount of time between shell commands. My script runs with an idle handler, and only actually does its thing now and again, depending on what the user's been doing. So it could very well be hours between shell commands, in which case it would need the password again, because its authorization will have expired.

There IS a workaround for this, however: keep calling sudo'd shell scripts at regular intervals (in my case, every time the idle handler is run, meaning once every 5 seconds). So my Idle handler looks something like this:
	
	



```
on idle
	try
		get do shell script "sudo echo x" --this keeps the authorization live, without needing any user input
	on error
		get do shell script "sudo echo x" with administrator privileges --this re-requests authorization if it has expired (e.g., the computer was asleep for a while)
	end try
	--do whatever else needs to be done here
end idle
```
That'll keep my admin privileges live indefinitely, requesting a password only when necessary, which is great. Unfortunately, it also prevents my computer from auto-sleeping, which is a big no-no for an app that should, ideally, by running 24/7 in the background. 

I'm still trying to work on a cure for this shell-script-induced insomnia. I'll post an update if I come up with one. And if anyone has any ideas, I'd love to hear them.


----------

