Script result: Do not run this script with root privileges. Do not use 'sudo'.

tranatisoc
New Contributor II

hi - i'm trying to remove Box Drive app but having issue.

I have the following in my script:

!/bin/bash

quit box drive

osascript -e 'quit app "Box"'

remove box drive

"/Library/Application Support/Box/uninstall_box_drive"

after i executed using a policy, i get the following error:

Script result: Do not run this script with root privileges. Do not use 'sudo'.

Can someone please share some insight into this?

thanks

14 REPLIES 14

bpavlov
Honored Contributor

I'm guessing that output is from the uninstall_box_drive tool.

The reason you are getting this message is because if you are running this with Jamf, then it is running as root.

One way around this would be to create a launch agent (which runs as user) and runs the two commands you have in this script.

By the way, when you want to paste code on Jamf Nation, make sure to use click the >_ button and paste the code in between the two single quote lines it gives you. This makes code much more readable on the site.

#!/bin/sh
Example of what it would look like

tranatisoc
New Contributor II

thanks for the quick response bpavlov.

please could you help me how to do launch agent?

this is a bit urgent so haven't had time to search jamf or google for help.

thanks for your understanding and assistance

m_donovan
Contributor III

You could try something like this: (caution untested script)

#!/bin/bash

osascript -e 'quit app "Box"'

consoleuser=$(stat -f%Su /dev/console)

su - "${consoleuser}" -c '/Library/Application Support/Box/uninstall_box_drive'

exit 0

I don't have Box installed on anything so I have not tested this myself. It could be that you need to run the remove tool as the user and this MIGHT get you what you need. Please test on your own test machine(s) before attempting in production. This technique works for me when I want to run something as the user from self service.

tranatisoc
New Contributor II

thanks for your help m.donovan.

now i'm getting a different error:

Script result: -bash: /Library/Application: No such file or directory

note: i think something in the uninstall_box_drive script that's causing these errors.

m_donovan
Contributor III

Try putting a after Application like this

su - "${consoleuser}" -c '/Library/Application Support/Box/uninstall_box_drive'

Looks like the space between Application and Support needs to be escaped. I thought the single quotes would take care of the space.

sgoetz
Contributor

Hey there!

From the sound of it you will need to run your scripts as the user logged into the machine. This can be done from JAMF scripts. But takes a little work. The current method to run things as users is like as follows:

#!/bin/sh
currentUser=$(stat -f%Su /dev/console)
currentUserUID=$(dscl . read /Users/$currentUser UniqueID | awk {'print $2'})

launchctl asuser $currentUserUID /usr/bin/osascript <<EOF
tell application "Box"
quit
end tell
EOF

launchctl asuser $currentUserUID /Library/Application Support/Box/uninstall_box_drive

Hope that helps

Shawn OG

bbracey
New Contributor III

Have you tried creating a Restriction using JAMF?

tranatisoc
New Contributor II

thanks guys for all your help, but i think there's something funny going on with the uninstall_box_drive script. now a different error:

Script result: 0
No matching processes belonging to you were found
sudo: no tty present and no askpass program specified
2018-08-23 11:23:14.624 defaults[5908:133106] Domain (com.box.desktop.installer) not found.
Defaults have not been changed.


Box Drive has been uninstalled.


says its uninstalled but the app still there.

here's the uninstall_box_drive script:

!/bin/bash

uninstall_box_drive -- remove Box Drive components from a machine.

usage: uninstall_box_drive [-n]

options:

-n No quit if FUSE is unable to be uninstalled (for AAU)

This script must be run as a regular user, not with elevated privileges. And other

than the 'sudo' call to run the "uninstall_box_drive_r" script, no further uses of sudo

should appear in this script. Anything that requires sudo should go in "uninstall_box_drive_r"

Possible exit codes:

0 - Success

1 - Was run with elevated privilege

2 - Was unable to unload the FUSE kext

3 - Box.app is running.

4 - Unknown parameter

BFD_IDENTIFIER="com.box.desktop"
BOX_HELPER_IDENTIFIER=com.box.desktop.helper
BOX_HELPER_PLIST_PATH=/Library/LaunchAgents/$BOX_HELPER_IDENTIFIER.plist
FINDER_EXTENSION_IDENTIFIER=com.box.desktop.findersyncext

# Return 1 if an app with the specified bundle ID is running

function is_app_running { /usr/bin/lsappinfo find kLSBundleIdentifierLowerCaseKey="$1" | grep -c ASN
}

# Exit the script with a message if we're running as root

function ensure_running_as_user { if [ $EUID -eq 0 ]; then echo "Do not run this script with root privileges. Do not use 'sudo'." exit 1 fi
}

# Check and see if Box is running - user will need to quit if it is

function ensure_box_not_running { if is_app_running $BFD_IDENTIFIER; then echo "Box Drive appears to be running. You must quit the Box Drive application and run this script again." exit 3 fi
}

function unload_user_au_and_helper { # Unload the user version of the helper /bin/launchctl unload $BOX_HELPER_PLIST_PATH || true
}

# Clear out any prefs we've set

function clear_user_level_prefs { defaults delete com.box.desktop.installer || true defaults delete com.box.desktop.ui || true defaults delete com.box.desktop || true
}

# In Python _add_to_startup_items() adds Box to System Preferences > Users & Groups > Login Items so reverse this.

function remove_from_login_items { osascript -e 'tell application "System Events" to delete every login item whose name is "Box"' 2>/dev/null || true
}

# Disable the Finder extension

function disable_finder_extension { # Always disable the plugin /usr/bin/pluginkit -e ignore -i $FINDER_EXTENSION_IDENTIFIER || true

# Immediately kill any running processes killall -9 FinderSyncExt || true
}

# main

# A command-line parameter of "-n" means "don't give up if you can't uninstall FUSE."

This is intended for AAU use.

fuse_failure_quits=1
if [ "$1" = "-n" ]; then fuse_failure_quits=0
elif [ "$1" != "" ]; then echo "usage: uninstall_box_drive [-n]" exit 4
fi

Make sure we're clear to go

ensure_running_as_user &&
ensure_box_not_running &&
unload_user_au_and_helper &&
disable_finder_extension

Do the work that requires sudo - this work is placed in a separate script to support

developers. In jenkins passwordless sudo is enabled. But on developer machine we

shouldn't required a blankey "password-less sudo". This is an issue because developers

run Chimp locally and Chimp executes these uninstall scripts and it's often the case

that there's no STDIN for sudo to use to get the password. Thus, by placing all the

logic that requires sudo in a script called uninstall_box_drive_r... the developers

can add an password-exemption for just that script in /etc/sudoers that looks like:

<username> ALL = (root) NOPASSWD: /Library/Application Support/Box/uninstall_box_drive_r

sudo "${0%/*}/"uninstall_box_drive_r $fuse_failure_quits

Do any remaining non-sudo work

clear_user_level_prefs
remove_from_login_items

echo
echo
echo " "
echo
echo "Box Drive has been uninstalled."
echo
echo " "
echo
echo

exit 0

tranatisoc
New Contributor II
#!/bin/bash
#
# uninstall_box_drive -- remove Box Drive components from a machine.
#
# usage: uninstall_box_drive [-n]
#
# options:
#
#   -n      No quit if FUSE is unable to be uninstalled (for AAU)
#
# This script must be run as a regular user, not with elevated privileges. And other
# than the 'sudo' call to run the "uninstall_box_drive_r" script, no further uses of sudo
# should appear in this script. Anything that requires sudo should go in "uninstall_box_drive_r"
#
# Possible exit codes:
#
#   0   - Success
#   1   - Was run with elevated privilege
#   2   - Was unable to unload the FUSE kext
#   3   - Box.app is running.
#   4   - Unknown parameter
#

BFD_IDENTIFIER="com.box.desktop"
BOX_HELPER_IDENTIFIER=com.box.desktop.helper
BOX_HELPER_PLIST_PATH=/Library/LaunchAgents/$BOX_HELPER_IDENTIFIER.plist
FINDER_EXTENSION_IDENTIFIER=com.box.desktop.findersyncext

#
# Return 1 if an app with the specified bundle ID is running
#
function is_app_running {
    /usr/bin/lsappinfo find kLSBundleIdentifierLowerCaseKey="$1" | grep -c ASN
}


#
# Exit the script with a message if we're running as root
#
function ensure_running_as_user {
    if [ $EUID -eq 0 ]; then
        echo "Do not run this script with root privileges. Do not use 'sudo'."
        exit 1
    fi
}


#
# Check and see if Box is running - user will need to quit if it is
#
function ensure_box_not_running {
    if is_app_running $BFD_IDENTIFIER; then
        echo "Box Drive appears to be running. You must quit the Box Drive application and run this script again."
        exit 3
    fi
}

function unload_user_au_and_helper {
    # Unload the user version of the helper
    /bin/launchctl unload $BOX_HELPER_PLIST_PATH || true
}


#
# Clear out any prefs we've set
#
function clear_user_level_prefs {
    defaults delete com.box.desktop.installer || true
    defaults delete com.box.desktop.ui || true
    defaults delete com.box.desktop || true
}


#
# In Python _add_to_startup_items() adds Box to System Preferences > Users & Groups > Login Items so reverse this.
#
function remove_from_login_items {
    osascript -e 'tell application "System Events" to delete every login item whose name is "Box"' 2>/dev/null || true
}

#
# Disable the Finder extension
#
function disable_finder_extension {
    # Always disable the plugin
    /usr/bin/pluginkit -e ignore -i $FINDER_EXTENSION_IDENTIFIER || true

    # Immediately kill any running processes
    killall -9 FinderSyncExt || true
}

#
# main
#

#
# A command-line parameter of "-n" means "don't give up if you can't uninstall FUSE."
# This is intended for AAU use.
#

fuse_failure_quits=1
if [ "$1" = "-n" ]; then
   fuse_failure_quits=0
elif [ "$1" != "" ]; then
    echo "usage: uninstall_box_drive [-n]"
    exit 4
fi

# Make sure we're clear to go
ensure_running_as_user && 
ensure_box_not_running && 
unload_user_au_and_helper && 
disable_finder_extension

# Do the work that requires sudo - this work is placed in a separate script to support
# developers. In jenkins passwordless sudo is enabled. But on developer machine we
# shouldn't required a blankey "password-less sudo". This is an issue because developers
# run Chimp locally and Chimp executes these uninstall scripts and it's often the case
# that there's no STDIN for sudo to use to get the password. Thus, by placing all the
# logic that requires sudo in a script called uninstall_box_drive_r... the developers
# can add an password-exemption for just that script in /etc/sudoers that looks like:
#     <username> ALL = (root) NOPASSWD: /Library/Application Support/Box/uninstall_box_drive_r
#
sudo "${0%/*}/"uninstall_box_drive_r $fuse_failure_quits

# Do any remaining non-sudo work
clear_user_level_prefs
remove_from_login_items

echo
echo
echo "* * * * * *"
echo
echo "Box Drive has been uninstalled."
echo
echo "* * * * * *"
echo
echo

exit 0

mm2270
Legendary Contributor III

The sudo: no tty present and no askpass program specified error is likely because the script contains this line:

sudo "${0%/*}/"uninstall_box_drive_r $fuse_failure_quits

That is, if it's even running it, because the comment also states "this work is placed in a separate script" meaning the script it's trying to execute might not be present.

Here's what I'm going to say, and you won't like this answer, but, this script really wasn't designed to be pushed via Jamf or ARD or some other tool like that. It appears to be designed to be run by a user in Terminal. It will prompt them for their password to run sudo level stuff, but still as them, not as root. I don't think you will be able to use this script effectively pushed via a management tool.

Let me ask you, is it important to run all that stuff in the script, like removing user level prefs and such, or do you just want the application shut down and removed? If the latter is all that's important, it should be much easier to do than trying to utilize that script.

tranatisoc
New Contributor II

thank you, mm270 for your response and clarification.

can i answer you question with a question? what's the side effects, if any if i don't remove user prefs and other stuff in the script?

i think ultimately, i just want the shutdown the app if running, then remove it cleanly including all residues.

mm2270
Legendary Contributor III

@tranatisoc I'm not able to do a full response because I'm super busy right now, but off hand I don't see a major problem with leaving some of the preferences behind. The developers choose to remove those to prevent a future reinstall of Box from picking up some old preferences I guess, which makes sense.
I'm not sure on some of the other stuff. I know Box installs a setting to the user space to auto launch the application, but if the app itself is removed that should pose no harm.

If you are ok with reading scripts, you should be able to grab the relevant parts from their script and place into a custom one. You'd also have to look at that uninstall_box_drive_r script as it references that, but we aren't seeing that script above. It seems like the important one though as it probably is what removes the app itself.

ryan_ball
Valued Contributor

I've looked at the script from the Box package. This will uninstall Box Drive and remove the preferences for all users:

#!/bin/sh

killall Box
/Library/Application Support/Box/uninstall_box_drive_r

rm -f /Users/*/Library/Preferences/com.box.desktop.installer.plist
rm -f /Users/*/Library/Preferences/com.box.desktop.ui.plist
rm -f /Users/*/Library/Preferences/com.box.desktop.plist

tranatisoc
New Contributor II

thanks mm270 & ryan.ball.

@ryan.ball , it worked. many thanks