Script Editor - Apple script starting terminal and running bash script.

If you want no password prompt at all then you need to tell sudo to allow the user to run the command without a password.

As BobHarris suggested, this is done via visudo but you need to be careful.

Use visudo to add a line like:

username		ALL = (ALL) NOPASSWD: /Users/tormod/Scripts/startup.sh

Then change your AppleScript just:

do shell script "sudo /Users/tormod/Scripts/startup.sh"

This will invoke the script in the background (no Terminal.ap required) and run the sudo command. If the sudoers file is correct, it should run without needing a password.

If you are going to run sudo, then you are going to be prompted for a password.

You can try something like

do shell script "ScriptHere" with administrator privileges

which will prompt for the password in a dialog box.

You could see about changing the /etc/sudoers file, but I never do that, so you would have to Google that for instructions. And if you do not do it carefully, you can

A) break the /etc/sudoers file so that you will not be able to use sudo again, or

B) create a security hole that malicious processes could take advantage of.

You could use ssh and ssh-keygen keys. Put your user's ssh-keygen *.pub key into /var/root/.ssh/authorized_keys file. Then

ssh localhost 'script_here'

To prevent messing up the "sudoers" file itself you should create the rule in another file located in the "/etc/sudoers.d/" folder. You can name the file whatever you want and it uses the same formatting as the regular "sudoers" file. You can create this file easily by calling "visudo" like:

sudo  EDITOR=nano  visudo  -f  /etc/sudoers.d/<name-of-file>

sudo  EDITOR=nano  visudo  -f  /etc/sudoers.d/startup-script-nopasswd

The first line is just a generic template, while the second line is an example which will create a file in "/etc/sudoers.d" called "startup-script-nopasswd" which will contain the single line granting a specific user root access to run the specified script "/Users/tormod/Scripts/startup.sh" without a password. I suggest adding a comment to the file to properly list its purpose.

Contents of "startup-script-nopasswd":

tormod   ALL=(root) NOPASSWD: /Users/tormod/Scripts/startup.sh

"visudo" will check the file just like it does for the main "sudoers" file. I added the "EDITOR=nano" since it is easier for most users to use so you can remove this option if you like the default "vi" editor.

If you are using more recent versions of macOS you may need to change the path to the "/etc/sudoers.d" folder if you are unable to store the file in the default location. Catalina has moved the user modifiable locations for some folders and I'm not sure what the correct path is to access the writable location.

Edit: I should add that you really should not run your script using "sudo" unless every command in the script requires root privileges. It is better & safer to only use "sudo" on just the commands within the script that require root privileges. In that case you would need to grant those commands in the "/etc/sudoers.d" file for no password instead of your script. To make it more secure you should include the option flags for each command you are adding to the "/etc/sudoers.d" files to further limit what the user can do without using passwords. See "man sudoers" for more information.

That's a fair point about limiting which commands can be NOPASSWD.

Think about it a different way - if you grant NOPASSWD rights to a script (such as /Users/tormod/Scripts/startup.sh) then you need to restrict access to that file - otherwise a nefarious user could edit that script to do anything they want, then invoke it via sudo and it would run unfettered.

Lots to consider here.

tormod_bjorøy wrote:

Valid points for some systems.

This particular system is a laptop, and is used by one user.

Thanks for all input and replies, however.

Regardless of how the laptop is used, it is always good practice to always code as safely as possible at all times. Even then things will slip by you. You also don't know what other unintended accidental side effects it could have. I've read enough scripting advice in various forums and articles to know that there are a lot of ways to have unintended side effects occur by having a whole script run as root especially with no password required. Even the code used within the script may have unintended consequences under certain conditions such as running code you didn't realize you were actually running (thinking you are parsing something, but instead it actually can run code under some conditions). Of course it is your system, but it is best to code as safely as possible all the time so you are used to thinking about safety and unintended consequences. It is very hard to undo bad techniques later on.

tormod_bjorøy wrote:

Just for fun, I tried to add the following lines using visudo

tormod ALL=(root) NOPASSWD: /usr/sbin/sysctl

tormod ALL=(root) NOPASSWD: /usr/local/bin/sshfs

Instead of running the whole script as root.

This actually did not work, and it still needed password.

You still need to run those commands within your script using "sudo". You may want to test those individual commands outside of your script.

I than tried to add all the arguments for the commands as well. With all the arguments for sysctl and sshfs added, visudo complained about "syntax error".

I had to experiment a little bit to get some argument options to work.

For what is worth, there is a small timing whole with elevating scripts to root. It's possible to break out of the script leaving the user in root.