pkg is considered safe or not, but even if it's not, Apple could change it in the future.) But a Safari buffer exploit could get around this problem. I don't think Safari should automatically open 'safe' documents, but that's the default. I don't think diskutil resizeVolume should work without further authentication. Obviously there is a large chain of questionable things in this list. (Or just confuse the hell out of the user by shrinking their boot partition to the point where they get nag messages that they are almost out of disk space.) (Or simply substitute 1-3 with your typical buffer overflow exploit which is used to execute a script.)Ĥ) Run 'diskutil resizeVolume' in some really nasty way that will screw up your partitions. pkg behavior that runs a script behind your back without requesting permission first.
#STATA UPDATE DOWNLOAD#
pkg when you arrive.Ģ) Safari considers it a 'safe' download and automatically launches.ģ) The old. Now imagine combining the following in an admin account:ġ) A web site that automatically downloads a. I would wager there are some nasty bugs hiding in the tool or HFS+ itself that could be used to totally trash a partition.
The tool itself is not very well documented and I suspect it has not been exhaustively tested under many conditions, due to the new-ness of the utility and considering Boot Camp is still beta. Now did you know that the 'diskutil resizeVolume' on Intel Macs doesn't require any authentication if you are in an admin account? You can invoke the tool and it will dutifully try to resize your partition. Under a regular user account, the destruction would be limited to user files, but the admin account gives you access to a lot more things. I believe it was possible to execute a shell script on launch without requiring permission to run first. For example, not long ago there were reported security issues with running a standard OS X. It takes a lot less effort to totally screw over a computer because of this. While not as bad as running as root, it is still a questionable idea which some would call 'defective-by-design'. Yet, Apple doesn't deter this and most OS X home users run in admin accounts. Normal, everyday typical user activity should normally not need admin privileges. It has also been suggested to use an osascript command to issue a Finder restart to allow users the normal warnings.Īpple already blurred the distinction which is the real problem. If so, then shutdown -r now will also need to be in sudoers. I have been thinking about seeing if I can work this into the logouthook function. With this hurdle covered, you can now add a cron/ launchd job to download updates for sure ( softwareupdate -d). Be sure to restart right away if you are trying this on a reboot-needed update. I don't think this action will prompt for a restart, so the system will be running in an indeterminate state.
Be sure to add comments on your change by using # as the first character. Add ALL ALL= NOPASSWD: /usr/sbin/softwareupdate to the file.Use the command sudo visudo this will drop you into the default visual editor (usually vim). softwareupdate) to be executed by your users.
#STATA UPDATE UPDATE#
So the problem is that if you have multiple machines in a mostly unmanaged environment, updates only occur if an admin logs in or if users run Software Update manually, and in either case the process must be authenticated with an admin passwordīut partially no more! If you edit the sudoers file, you can allow the CLI version of Software Update (i.e.
#STATA UPDATE INSTALL#
Software Update has a 'quirk' in which non-admin users will never get prompted to install updates, even if the administrator sets them automatically download.