Login script with root privilege

ivanlovisi
New Contributor III

I'm trying to run a login script with root rules. Obviously without having to use a trigger for Login with JamfPRO. Does anyone have an idea?

3 REPLIES 3

allanp81
Valued Contributor

I think you could achieve this with the outset tool: https://github.com/chilcote/outset

PaulHazelden
Contributor III

Use a LaunchDaemon to run your script, it will run as root.

My login scripts are run as LaunchAgents - user privileges. I have a few operations that require root privileges to work. So the script that is running from the LaunchAgent login simply has a touch command in it, and it points to a watched file. The LaunchDaemon is set to watch for access to this watched file, and if found to run the script.

LaunchDaemon xml format below

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>UNIQUE_PROCESS_NAME</string>
    <key>ProgramArguments</key>
    <array>
        <string>PATH/TO/SCRIPT.sh</string>
        <string>-argument</string>
    </array>
    <key>WatchPaths</key>
    <array>
        <string>PATH/TO/THE/WATCHED/FILE</string>
    </array>
</dict>
</plist>

LaunchAgent xml below

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>UNIQUE_PROCESS_NAME</string>
    <key>ProgramArguments</key>
    <array>
        <string>PATH/TO/LOGIN/SCRIPT.sh</string>
        <string>-argument</string>
    </array>
    <key>RunAtLoad</key>
    <true/>
</dict>
</plist>

In your Loginscript put
touch PATH/TO/THE/WATCHED/FILE
And when that executes the Daemon xml will run the script it points to.
I would then add in a sleep 10
to await the Daemon script to complete. Change the 10 for however many seconds you think the process will take.

Hope this helps

Paul

thebrucecarter
Contributor II

As listed previously, a launch agent is the way that Apple recommends. Login and logout hooks still work, though... Lots of examples out there, but we're actually in the process of moving all that stuff INSIDE Jamf Pro instead of having it scattered all over the place.