Platypus Owns… I Still Lose

The always-reliable Gregg pointed me to Platypus, which fits exactly with my previous “wish list”:

[re: PyOXIDE] an altogether different application… that would insulate me from having to know anything about the underlying OS X application framework, so I could just make a Python script clickable… and have it fucking work

For that—and that much only—Platypus kicks ass. It’s perfect! But (yeah, sorry I’m a bitch), that’s not the end of the story.

The specific Python script I’m trying to “dumb down” into a clickable app requires one step that must be performed as root (with “sudo”). [if you must know, it’s that Samba port forwarding mess from before]

In Platypus, even when you select the “Requires Administrator Privileges” checkbox for the app before you create it… sure enough it will prompt the user for his/her password when they launch your new app, but it doesn’t actually go far enough to authenticate against the “sudoers” list.

The user will have to go into Terminal and “sudo” something first, provide the password (and become one of the Holy Grand Sudoers Blessed), and finally run the app that Platypus created. Otherwise, the “sudo” step in the original script will simply hang and wait for interactive authentication.

Platypus comes with a quick blurb about using CocoaDialog for user input, but I haven’t yet gone that far to see if this type of interactive authentication will work for “sudo”. It might, but a gut feeling tells me I’d spend hours chasing down another dead end. So enough for now.

I lose.

Posted in Mac

4 thoughts on “Platypus Owns… I Still Lose

  1. It’s using Authentication Services, that’s why, not the sudoers/teminal. It’s “broken as designed” for your specific application.

    can you make the script setuid root? That’s a shit idea but given that it’s a limited distribution and returns immediately.. I mean `ping` is setuid and I don’t hear anyone bitching….

  2. I get that my specific application is broke-dick, and I honestly appreciate all the apps out there that get me 95% of the way.

    I’ve never had to write a Python script that uses setuid root, so learning how to do that, and protect what I’ve written only presents yet another learning curve that I’m–at this point–unwilling to traverse.

    For this specific application, we’re talking aboot 9 lines of code… most of which use os.system() to forward local ports to remote ones. Pretty goddamned convenient as a double-clickable, until…

    The one that’s fucking me up is the local 139, since OS X won’t allow you to “Go >> Connect to Server…” on an alternate, unprivileged port. If OS X would allow a local SMB server connect to a high port (say, 50139), then I’d be fucking set.

    It’s as if there are 10 different limitations to 10 different factors (OS X, SMB, PyObjC, PyOXIDE, Platypus, maybe CocoaDialog, maybe even Objective C) that make my lazy attempt to do X un-doable.

    Like I said, it’s taken me less time to write full-up documentation explaining to the “barely computer literate single user” how to get this shit done in Terminal.

  3. is the user in question not an admin user on the box, but in the sudoers file? If that’s the case then you probably have stepped outside the bounds of any application short of roll-your-own. In other words, if you have decided “this user can do this one thing and this one thing only as root”, by putting them in sudoers, and not allowing them Admin rights, then you cannot use Authentication Services, which lives outside the world of sudoers. You’re stuck scripting.

    But I did a simple test, using Net::Ping to make ICMP packets (ie traditional ping) with Authentication Services in both C and w/ Platypus to wrap it, and it works. So I got that going for me, which is nice. If you’re stuck in sudoers land then you really probably will have to write a solution, and like you said, documentation is probably easier at that point.

  4. The user has Admin rights and is a sudoer. The problem isn’t that they can’t use the simple script… it’s just that Authentication Services (apparently) doesn’t actually pass along the user’s credentials to the system.

    If I have the user open Terminal and “sudo ls” and provide their password, then the app works without a hitch and the low port gets forwarded. Without sudoing anything, it hangs.

    At that point, it’s not much of a stretch to just say “okay fuck it” and teach them how to open Terminal and type “sudo ./” and let them go on their way.

Comments are closed.