Giving Hazel sudo/root privileges

From your noodle to other noodles. Talk about ways to get the most from Hazel. Even exchange recipes for the cool rules you've thought up. DO NOT POST YOUR QUESTIONS HERE.

Moderators: Mr_Noodle, Moderators

Giving Hazel sudo/root privileges Tue May 22, 2018 8:22 pm • by JohnDCCIU
I had a situation where I was trying to use Hazel to overwrite a file to which the normal admin user did not have default permission to do*. Hazel got a permissions error every time when trying to do it via the embedded shell script feature. I was able do it manually at the Terminal using "sudo", but that prompts for a password and I didn't want to put the password in cleartext in Hazel's embedded shell script.

After some research and testing, I hit on this method:
  1. Edit the macOS "sudoers" file (using sudo visudo) and change the %admin line to ALL=(ALL) NOPASSWD:ALL
  2. use sudo in the embedded Hazel script with "echo" to overwrite the existing file in place, with a note that Hazel rolled it...but you have to do it a certain way, by invoking another shell using "sh -c":
    Code: Select all
    sudo sh -c "echo \"Log rolled by Hazel, $(date +"%m-%d-%y_%H:%M:%S")\n\" > fileToRoll.log"
Other methods like just putting "sudo" in front of the echo command, or "sudo -s" at the top of the embedded shell script did not work to overwrite the file for whatever reason: the "sh -c" is what did the trick.

Note that editing sudoers like this gives all admin-level accounts on the machine the ability to do anything they want as root. That has security implications, so be aware of that. You could get fancier and edit sudoers to give only a single account the ability to use only the "echo" command as root if you wanted to get more specific.

Hope this helps someone that is trying to elevate Hazel's permissions in the shell.

John

* My specific goal was to do log-rolling for Tomcat’s “catalina.out” file, because the macOS logroller (newsyslog) doesn’t have the ability to truncate a log in-place (like other unixes do with logrotate using the copytruncate option), and I didn't want to have to restart Tomcat every time I rolled the log.
JohnDCCIU
 
Posts: 13
Joined: Tue Jun 02, 2009 2:17 am

Re: Giving Hazel sudo/root privileges Wed May 23, 2018 11:32 am • by Mr_Noodle
Thanks for the tip. I just want to emphasize your point about the security issues. I highly recommend create a separate account for Hazel to use (and specify only that account in sudoers) as well as limiting the commands that account can run (again in sudoers).

It not only guards against threats but will also limit the damage should you write a script that does more than you bargained for.
Mr_Noodle
Site Admin
 
Posts: 8219
Joined: Sun Sep 03, 2006 1:30 am
Location: New York City


Return to Tips & Tricks - DO NOT POST QUESTIONS