Have a script run at Login but not call for admin privileges?

thestardawg
New Contributor

I'm using this script to auto set search domains at login. It works great but the user has to enter their password twice. Is there anyway to bypass?

Thanks!

#!/bin/sh

SearchDomains=""


# Install DNS servers and DNS search domains

/usr/sbin/networksetup -setsearchdomains "Wi-Fi" $SearchDomains
/usr/sbin/networksetup -setsearchdomains "Thunderbolt Ethernet" $SearchDomains
/usr/sbin/networksetup -setsearchdomains "Thunderbolt Ethernet 2" $SearchDomains
/usr/sbin/networksetup -setsearchdomains "Ethernet" $SearchDomains
/usr/sbin/networksetup -setsearchdomains "USB Ethernet" $SearchDomains


# Remove setup LaunchDaemon item

srm /Library/LaunchDaemons/com.company.networksetup.plist

# Make script self-destruct

srm $0
7 REPLIES 7

thestardawg
New Contributor

This is the script I'm using to call the searchdomains.

I do not have the power of Casper yet, but hopefully will very soon. So I'm just manually uploading these files at the moment.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>com.company.networksetup</string>
    <key>ProgramArguments</key>
    <array>
        <string>/var/network_setup.sh</string>
    </array>
    <key>RunAtLoad</key>
    <true/>
</dict>
</plist>

jarednichols
Honored Contributor

Is it a LaunchAgent or a LaunchDaemon?

If it's a LaunchAgent, it runs the called script as the user. Seeing as how you need sudo rights with networksetup to set anything, that's why they're prompted. If you do it as a LaunchDaemon, it'll run as root.

With Casper, set a policy to run at login and fire off the script (removing the self destruct bit first) as the Casper admin user will by default run the script with sudo rights and there will be no prompt for auth.

EDIT: I'm not properly caffeinated and just re-read your post. It's a LaunchDaemon. Let me bang this around my skull.

EDIT 2: What are the permissions and ownership on the items involved? (script and LD)

thestardawg
New Contributor

Hey Jared,

It looks like the permissions are set as following:

network_setup.sh --rwxr-xr-x@ root wheel

com.company.networksetup.plist --rwxr-xr-x@ root staff

I've got it currently installed a user launch agent.

Should I try making it a launchdaemon?

Thanks for the help,

mm2270
Legendary Contributor III

From your script it looked like you were srm'ing a LaunchDaemon, so I think Jared (and I as well) assumed you set this up as a LaunchDaemon. But you're saying its located in /Library/LaunchAgents? If so, then that's the issue, just as Jared mentioned. A LaunchDaemon will run as root and not prompt for admin credentials.

The only issue you may run into is, LDs will run even when no-one is logged in and you mentioned wanting to make this run at login. Truthfully though I don't see why it would require that since you're setting search domains. Not really something that is user specific. Try it as a LaunchDaemon and if it works out, then that's the answer.

nessts
Valued Contributor II

and the permissions of the plist file in LaunchAgents or LaunchDaemons has to be root:wheel 644 or more restrticive. if write or execute is on for group or other it will never execute. rw-r--r--

thestardawg
New Contributor

Thanks for the help guys! Does it matter the permissions on the .sh script? I changed those to root:wheel 644 as well.

I'm not sure what I could be doing wrong at this point. Nothing appears to be happening once I moved it to Daemons.

I also checked launctl load and it says the .plist is already loaded.

TDManila
New Contributor III

Hello! I have been searching and trying script to call the admin user / profile but it doesn't seem to be working on my end. Do you have any particular script to that? to call or know the admin logins? I have also tried through jamf advanced computer search and smart groups but did not see any.