Using sudo -u as root?

[wackazong]

I would like to use terminal-notifier in a script which is executed as root. I tried to use something like this

sudo -u ander terminal-notifier -subtitle 'TEST' -message 'TEST'

where username is the currently logged in user. But this just hangs and never returns. How can I achieve this? I can reproduce it by becoming root via sudo su - in Terminal and then executing the above command, it never returns.

[julienXX]

I think your user is not logged in with graphical shell when doing a su therefore you're not able to access the Notification Center.

[wackazong]

Yes, the user is logged in. Just the script is executed as root.

[JayBrown]

I've had the same problem. When I run a script from the shell either with sudo or after sudo su, everything is fine, and terminal-notifier works as advertised. But when the same script is called by a global daemon running as root:wheel (in /Library/LaunchDaemons), then, when terminal-notifier is called—either directly with /usr/local/bin/terminal-notifier or with the path to the binary in the .app—nothing happens, and I get the error message: DATE TIME terminal-notifier[#NO:#NO] CFPasteboardRef CFPasteboardCreate(CFAllocatorRef, CFStringRef) : failed to create global data That's an OS X safety thing, as far as I can tell. The only solution I could think of, is calling the script with a user agent (in ~/Library/LaunchAgents –– admin:staff), and in the script itself adding $ echo $PASSWORD | sudo -S before every command that needs to be run with su privileges, while avoiding $PASSWORD in plaintext, instead reading the admin password e.g. from a generic-password item in your OS X Keychain with the security command. This is what I'm doing at the moment. I'm still getting "password" error messages for every sudo call in .stderr, but the script works fine anyway. The alternative would be to edit the system's sudoers file and whitelist my script, but I haven't tested it yet.

[ebdrup]

I have this same problem with a program set up with a .plist file in ~/Library/LaunchAgents/ So far I've han no luck fixing this, adding UserName to the plist also doesn't work.

[skull-squadron]

It maybe a lack of NSNotificationCenter support in macOS when su{,do}-ing.

Temporary hackaround:

0. Write a tiny service which runs as a ~/Librach/LaunchAgent and listens to requests on a known UNIX socket and calls terminal-notifier based on requests.

1. Then, write a trigger script which can be run as root.

This ensures priv separation.

[JayBrown]

It might be the same reason why can run sudo osascript with some standard commands, but not sudo osascript with GUI scripting, e.g. opening a window to select a file, and then pass the filepath from osascript to the shell script. Otherwise you could use osascript to navigate into restricted directories like /private/var/root and select files in there.

[skull-squadron]

There's probably also some security on XPC that sudo/su aren't handling. Writing a tiny userland service which does one thing is both more secure, easier to troubleshoot and reason about. This is how I set DNS servers when intenet becomes un/reachable.

[julienXX]

Closing the issue, feel free to re-open if needed.