I have a Python script, say install.py (which I run as sudo), on OS X that installs homebrew, Xcode, pip, ruby, swig and ultimately the salt. The problem is that starting and installing everything (the Xcode CLI in partituclar) takes so much time that sudo expires, requiring another prompt for administrator credentials.
Here is the thing. As part of install.py , before starting all installations, I first create a local admin user by opening a subprocess and using:
make_admin_account = { "mkdir -p /Users/%(accountname)s", "sudo dscl . -create /Users/%(accountname)s", "sudo dscl . -create /Users/%(accountname)s UserShell /bin/bash", "sudo dscl . -create /Users/%(accountname)s RealName \"%(fullname)s\"", "sudo dscl . -create /Users/%(accountname)s UniqueID \"%(uid)s\"", "sudo dscl . -create /Users/%(accountname)s PrimaryGroupID 80", "sudo dscl . -create /Users/%(accountname)s NFSHomeDirectory /Users/%(accountname)s", "sudo dscl . -passwd /Users/%(accountname)s \"%(password)s\"", "sudo dscl . -append /Groups/admin GroupMembership%(accountname)s", "sudo dscl . -append /Groups/_appserveradm GroupMembership %(accountname)s", "sudo dscl . -append /Groups/_appserverusr GroupMembership %(accountname)s", "sudo chown -R %(accountname)s /Users/%(accountname)s", "sudo createhomedir -c -u %(accountname)s" }
So now we have a local administrator account. Quite simply, now go through each of the installers. Let's move on to where the Xcode CLI was installed, now we start homebrew:
print("Install Homebrew") execute("sudo -H -u %s ruby homebrew_ruby" % accountname)
( execute() is a simple function that calls subprocess.Popen() ). As soon as she meets sudo , she again asks for administrator credentials. This is an undesirable behavior. So, what about passing preexec_fn to a subprocess and running as a newly created administrator account?
def demote(user_uid, user_gid): def result(): os.setgid(user_gid) os.getuid(user_uid) return result preexec_fn = demote(pwd.getpwnam(accountname).pw_uid, pwd.getpwnam(accountname).pw_gid) execute("ruby homebrew_ruby", preexec_fn=preexec_fn)
Again, execute simply takes the preexec_fn argument and passes it to subprocess.Popen . Return:
shell-init: error retrieving current directory: getcwd: cannot access parent directories: Permission denied shell-init: error retrieving current directory: getcwd: cannot access parent directories: Permission denied chdir: error retrieving current directory: getcwd: cannot access parent directories: Permission denied chdir: error retrieving current directory: getcwd: cannot access parent directories: Permission denied job-working-directory: error retrieving current directory: getcwd: cannot access parent directories: Permission denied
At this point, I think my new administrator account is configured incorrectly. Exit the script and try adding the new administrator account I just created:
shell-init: error retrieving current directory: getcwd: cannot access parent directories: Permission denied
It looks familiar.
So, to put my wish in a sentence: I am looking for a way to save a long Python script from the invitation for admin admins after it expires after 5 minutes by default. I know that I can simply edit /etc/sudoers :
Defaults timestamp_timeout=15
That should fix it ... but I feel that there must be a better solution here that I either will not see or have not yet studied. If we could run it as a child python process with prexec_fn , that would be ideal.