OSX sudo helper

mac-askpass.sh

#!/bin/sh
BIN="/usr/local/bin/askpass"; touch $BIN; chmod 755 $BIN
security add-generic-password -a $USER -s login -T "" -w 
echo "#!/bin/sh\\nsecurity find-generic-password -a $USER -s login -w" > $BIN
echo "\\n# Set sudo helper.\\nexport SUDO_ASKPASS=$BIN" >> ~/.${SHELL##/*/}rc

# sudo() { osascript -e "do shell script \"$*\" with administrator privileges" }

# osascript -e 'display dialog "Enter user password:" default answer "" \
# with hidden answer with icon file "System:Library:Frameworks:\
# SecurityInterface.framework:Versions:A:Resources:\
# Lock_Locked State@2x.png" with title "sudo"' | cut -d: -f3

Q: How do I use this?

A: as follows

1. run mac-askpass.sh
2. make sure export SUDO_ASKPASS... is in the .bashrc, .zshrc file for the shell you'll be in
3. run command with sudo -A
4. GUI password prompt will appear, and password will be remembered!

Thanks for this!

You execute it. But why would you?

I figured it out and posted a guide above.

My use case is that I run scripts through a Mac app called Context Menu and some of my scripts require sudo, for various reasons. Whilst plain sudo used to work in Mojave with no problems, in Big Sur I am prompted to setup an "askpass helper". And here we are!

I'm glad to have helped you,thanks for the clarification. 🤓

Hi. The script you have written ( for askpass helper ) looks for a password for account $USER under login keychains and then outputs the password to sudo, right? Is there a way to directly query for password using GUI and supply it to sudo ( not query the keychain ) using security command?

Why? Explain your use case...

So, the use case I am dealing with is like this: I am making an app where some scripts require sudo privilege. I want my askpass helper program to be complete such that if the user's password is not already stored in a keychain, then I want to popup the UI to add the new password into the keychain and then further query it. But the code security add-generic-password -a $USER -s login -T "" -w doesn't popup a GUI. So the script is stuck...

Have you tried following the @gingerbeardman guide?
In short you should use sudo -A instead of just sudo.

Yes, that right. I am using sudo -A only. The issue is that security add-generic-password doesn't support a UI, i guess. So it's not useful for me because I don't want the user to execute mac-askpass.sh through terminal. I actually see another option in security to bypass sudo which is security execute-with-privileges. Have you worked with this option? Not much doc is mentioned on the man page related to what sort of privilege escalation does it provide? Some pointers to documentation?

Have you tried searching on Google as I would do? 🧑‍💻