Difference between revisions of "DeployStudio Runtime for End Users"

From AFP548 Wiki
Jump to navigation Jump to search
Line 1: Line 1:
 
  
 
Background:
 
Background:
Line 49: Line 48:
 
Open Platypus and drag the script from your desktop to the “Script Path:” field.
 
Open Platypus and drag the script from your desktop to the “Script Path:” field.
 
Change your identifier and author, and whatever other settings you’d like. This is what I’m using:
 
Change your identifier and author, and whatever other settings you’d like. This is what I’m using:
 
+
[[File:Example.jpg]]
  
 
Create your new app and double click it! You should see it for a second and then see DeployStudio Runtime.app open without needing a password!
 
Create your new app and double click it! You should see it for a second and then see DeployStudio Runtime.app open without needing a password!

Revision as of 22:20, 14 October 2010

Background:

We use DeployStudio Server to deploy packages and system images in the College of Education. We would like to leverage the DeployStudio Runtime.app (Runtime) application on clients computers to allow them to install a predefined set of software. They would be able to request additional software to be served through the Runtime application.

In order to allow non-admin (standard) users to run Runtime, they have to have a way to launch it as root. Enter /etc/sudoers...

The /etc/sudoers (sudoers) file allows us to give a specific user or group sudo rights to run single or multiple commands. In this instance, we want the users to run the Runtime app as sudo, but to make it easy it has to be started from a script. To make it really easy, we will wrap it into an app later.

First, in /etc/sudoers file we give the group “EDUC\domain users” a user alias:

This line give the domain users group an alias of “STAFF”. User_Alias STAFF=%EDUC\\domain\ users

Next, we need to tell the sudoers file what the STAFF group can run:

This line says the STAFF alias can run the script at /usr/sbin/dsruntime.sh using sudo, as root, WITHOUT prompting for a password. Understand? NO PASSWORD REQUIRED! STAFF ALL = NOPASSWD: /usr/sbin/dsruntime.sh

Ok, thats cool, but whats that you ask? We don’t have a script to run at /usr/sbin/dsruntime.sh?

We want to create a script that will open the Runtime application as root. Create the file at /usr/sbin/dsruntime.sh with these contents:

  1. !/bin/bash
  2. Open DeployStudio with Sudo

cd /Applications/Utilities/DeployStudio\ Runtime.app/Contents/MacOS/ sudo ./Runtime

Give it permissions to run:

sudo chown root:wheel dsruntime.sh && sudo chmod 500 dsruntime.sh

This script changes into the Runtime.app directory and opens the binary as root using sudo. Since we have edited the sudoers file to run the script file as root, the commands inside of it run as root. Don’t believe me? Add “say `whoami`” to the end of the script and run it from the terminal. Make sure your volume is up, what does it say?

So now we can open the Runtime app from the terminal using the command:

sudo bash /usr/sbin/dsruntime.sh

It’s a little too much to ask a user to do, although most could, so lets make it easier for them.

Create another script called platypus.sh on your desktop. Enter these as the contents:

  1. !/bin/bash

sudo /usr/sbin/dsruntime.sh &

Download and install Platypus: http://sveinbjorn.org/platypus

Open Platypus and drag the script from your desktop to the “Script Path:” field. Change your identifier and author, and whatever other settings you’d like. This is what I’m using: File:Example.jpg

Create your new app and double click it! You should see it for a second and then see DeployStudio Runtime.app open without needing a password!

Issues:

Firstly, I don’t seem to be able to make this work off of the hard wired network from work. I’ve only tested it there and offline on my carpool home. The commands to start the dsruntime.sh are asking for sudo rights, and they shouldn’t be. I’ll need to look into that, but it does add a level of security, if only the theater variety.

Changing the sudoers file entry from:

STAFF ALL=NOPASSWD: /usr/sbin/dsruntime.sh

to

userid ALL=NOPASSWD: /usr/sbin/dsruntime.sh

negates the need for the User_Alias, but should only allow my userid to launch the app.