install4j "Request privileges" not working as expected on macOS

Question

We ran into a problem when trying to install Homebrew on macOS using a Custom Action in our install4j installer. Before executing the Homebrew installation script, we request admin privileges as shown in the logs below (the user that runs the installer is an Administrator). However, the installation script does not seem to be executed as an admin, it fails with the error message Need sudo access on macOS (e.g. the user xxx needs to be an Administrator)!.

Our Custom Action has the elevation type "Elevate to maximum available privileges", shouldn't this lead to the action using admin privileges?

[INFO] com.install4j.runtime.beans.actions.misc.RequestPrivilegesAction [ID 22]: Execute action
       Property linuxPrivilegeRequirement: None
       Property allRequested: true
       Property failIfNotObtainedLinux: false
       Property failIfNotObtainedMac: true
       Property failIfNotObtainedWin: true
       Property failIfNotRootUnix: true
       Property obtainIfAdminMac: true
       Property obtainIfAdminWin: true
       Property obtainIfNormalMac: true
       Property obtainIfNormalWin: true
       Property rollbackSupported: false
       Property updateInstallationDirectory: true
       args: ...
       Execute action successful after 7597 ms
[INFO] com.example.HomebrewInstaller [ID 161]: Using communication backend com.install4j.runtime.installer.platform.unix.PipeCommunicationBackend
       Execute action
       Property context: null
       Property rollbackSupported: false
       Executing commands: [/bin/zsh, -c, NONINTERACTIVE=1 /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"]
       Output: ==> Running in non-interactive mode because `$NONINTERACTIVE` is set.==> Checking for `sudo` access (which may request your password)...Need sudo access on macOS (e.g. the user xxx needs to be an Administrator)!
       Execute action successful after 312 ms

Ingo Kegel · Accepted Answer · 2022-07-04T13:18:37.480

1

The elevated helper process in install4j runs as root. It looks like Homebrew does not want to run as root. You would have to wrap the sudo calls in the installer into a graphical sudo like described here:

https://stackoverflow.com/a/3034671/936832

and run the "Run executable action" without elevated privileges.

edited Jul 04 '22 at 13:18

answered Jun 29 '22 at 12:45

Ingo Kegel

46,523
10
71
102

Thanks for the quick answer! Executing `osascript -e 'do shell script "NONINTERACTIVE=1 /bin/bash -c \"$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)\"" with administrator privileges'` seems to run the command as root, since it fails with the error message "Don't run this as root!". The same thing happens when executing the whole install4j installer with sudo. So it seems to me that our Custom Action is somehow not elevated, since it fails with a different error message (as described above). – sse Jul 04 '22 at 13:01
Code in actions that have elevated privileges do run with root privileges. I clarified my answer, it would have to be the sudo calls in the Hombrew installer that would have to be wrapped in that way. I don't know if that is possible, though. – Ingo Kegel Jul 04 '22 at 13:23
Thanks for the clarification, I'll try to modify the Homebrew installation script to use graphical sudo instead. I tested this approach with a different sudo command and interestingly no additional password dialog is opening if the action is elevated, it seems to work with the root privileges of the elevated helper process. When executing the action in "Do not elevate" mode, the graphical sudo dialog pops up as expected. – sse Jul 06 '22 at 09:54

score 1 · Answer 2 · answered Nov 22 '22 at 16:36

I tested this directly in Terminal.

As root, the Homebrew installer would be executed with root privileges, which is not allowed. As an admin user, you cannot run the Homebrew installer with sudo either - same effect as run as root.

As the Homebrew installer needs admin privileges and has to run some commands with sudo, sudo must be "active".

You can, directly before issuing the install.sh command, use a harmless command with sudo. Like

sudo echo Hello

sudo will then be active for a predefined while and will then be revoked again. Within this time, any sudo commands won't need another password entered.

If you run the Homebrew install.sh directly afterwards, no issues occur.

I tested this with NONINTERACTIVE=1 and it worked.

I am now searching for a way to pass the admin password safely to a script to make the install process completely non interactive...

install4j "Request privileges" not working as expected on macOS

2 Answers2