Home Forums Mac Software Mac Operating Systems displaying messages to remote computers

I used to be able to push this terminal command with remote desktop, or ssh into a computer (as root) and enter it, to display a message for the user:

osascript -e "tell application \"System Events\" to display dialog \"access to Video Server has been restored\" buttons {\"OK\"} default button 1 with title \"Message from Administrator\" with icon file \"Macintosh HD:System:Library:CoreServices:Feedback Assistant.app:Contents:Resources:State-Success.icns\""

But sometime around 10.7 apple appears to have blocked applescript's access between user processes. From what I can tell, applescript can't "send messages to processes outside its call chain from LoginWindow". Whatever the specific issue, I'd like to be able to continue to display messages as needed. I can't be logged in as the user, since I don't know their password. Prepending "sudo -u theirusername " doesn't help either.

Any ideas?

No solution. Just wanted to compliment you on the nature of your issues (here and in other postings). You do not have run of the mill problems and you help to keep all of us on our toes in pursuit of solutions, etc.

Thanks.

"The difficult I solve immediately. The impossible takes a little longer."

Just to clarify, is this a sandbox issue?

Are you sure you've done this more recently than, say, 2008?

I ask because that's when the notorious ARDAgent / Applescript root exploit surfaced, Apple's eventual cure for which was "not loading scripting addition plugins into applications running with system privileges."

Despite the invocation of System Events in your script, do shell script and, for that matter, display dialog, are both is part of Standard Additions.

the ARD thing was basically this: When running remote desktop, one thing you can do is "send shell script". This script can either run as the current user on the target computer, or as root. (practically all of the time you want to run it as root, though, annoyingly, as user is the default) To do this, the admin tells the client to execute the command. It appears to have used applescript as a channel to do this. So basically the exploit was to use the same method (locally) to tell the local ARD client to run the shell command, as root.

To fix this probably required substantial re-engineering of how ARD sends shell commands.

I don't know if its related to my issue or not, it's quite possible. I don't know for certain when it stopped working, but my best memory is around 10.6 or 10.7. (it may have worked in 10.6 until a specific update hit)

I've been mulling it over. I also needed a way for users to resume a printer queue that was paused, which a standard user doesn't have the authority to do. (if a printer runs out of paper while a user is printing, it will pause. if they don't fix it and log out, the printer remains paused on the commuter FOR ALL USERS until an admin unpauses it) So I had to write a daemon that unpauses printers for users when they log in. It sent a request to a daemon that was running as root, whose only feature was to unpause printers) I have since gotten rid of that since I figured out how to allow non-admins to resume queues, but I could use the same technique here I think. Store a text string in the user's home in a hidden file, owned by the user, ~/.message for example. Have a launch agent running for the user, and if it sees that file and it's owned by the user, display the dialog using the text in the file, and remove the message file. Convoluted, but functional. *shrug*

I certainly do seem to be running into lots of opportunities to create very creative and customized solutions in my new job...



OK weirdness ensues... if I login as root and try this:

osascript -e "tell application \"System Events\" to display dialog \"access to Video Server has been restored\" buttons {\"OK\"} default button 1 with title \"Message from Administrator\" with icon file \"Macintosh HD:System:Library:CoreServices:Feedback Assistant.app:Contents:Resources:State-Success.icns\""

it gives me:

36:284: execution error: An error of type -10810 has occurred. (-10810)

BUT... if I use ARD to send shell command to the computer, with a user logged in, and send the above command as root, it WORKS.

yeah, ARD is definitely hacking around the system's security now.