Assistance needed on securing the editing of Macros - asking for Admin Password before Launching KM and enabling Edit Mode without putting Admin Password into the Login Keychain

Hello Folks👋

Since I am working on making things more secure and using Macros to get sensitive information out of my Keychains I want to tighten up the security of these Macros and even the ability of editing my whole collection of macros by asking for my Admin Password.

To make it clear where this comes from - I have macros which are allowed to get specific information out of any Keychain (sometimes a combination of more than one) without asking for my Admin Password - but sometimes the System wants to have the Admin Password anyways (because the Login Keychain has been locked in the mean time).

You know all about installing pkg files - there is a mechanism build into them which asks for the Admin Privileges without even knowing the exact Password.

Exactly this kind of thing I want to duplicate just done by Keyboard Maestro.

What do I need ?! - Well, I need to know how to ask for my Admin Password without having a macro having full access to it stored in my Login Keychain using a specific name - just because of the fact that I would have to enter it manually sometimes because of a locked Keychain.

I hope this makes sense to all of you

Greetings from Germany

Tobias

Well, here is something of a result....

During the day I tried it for myself writing a little AppleScript Draft which I could use for further Development.

here it is:

use AppleScript version "2.4" -- Yosemite (10.10) or later
use scripting additions



property uName : missing value
property pWord : missing value

property scptAllowUserToHaveMoreThanOneGo : "FALSE" -- SET TO "TRUE" TO GIVE YOU MORE THAN ONE TRY TO UNLOCK

property minDialogTimes : "0"
property maxDialogTimes : "3"

property askUserForNameMinCount : a reference to minDialogTimes
property askUserForNameMaxCount : a reference to maxDialogTimes

property askUserForPasswordMinCount : a reference to minDialogTimes
property askUserForPasswordMaxCount : a reference to maxDialogTimes

property askUserForNameCount : a reference to askUserForNameMaxCount
property askUserForPasswordCount : a reference to askUserForPasswordMaxCount





if scptAllowUserToHaveMoreThanOneGo is "FALSE" then
	repeat until uName is not missing value
		
		-- Asking the User for the Admin's Full Name
		set uName to my getUserNameDialog()
		if uName is not missing value then
			exit repeat
		end if
	end repeat
	
	if uName is not false then
		-- display dialog "User Name is correct" buttons "OK" -- UNCOMMENT FOR DEBUGGING ONLY
		set pWord to my askForAdminPassDialog()
		set chkPassword to my checkAdminPassword(uName, pWord)
		if chkPassword is not false then
			display dialog "[[ THANKS DUDE !! ]]" & return & return & "Your Password is correct" with title "Congratulations" buttons "OK" default button "OK"
		else
			display dialog "[[ ERROR !! ]]" & return & return & "Sorry Dude, Your Password is NOT correct" with title "Ooooooohhhh Noooooooo !!" buttons "OK" default button "OK"
		end if
	else
		display dialog "[[ ERROR !! ]]" & return & return & "Wrong User Name Entered" buttons "OK" default button "OK"
	end if
else
	repeat until uName is not missing value or (askUserForNameCount is not equal to askUserForNameMinCount)
		if uName is missing value or (askUserForNameCount is not equal to askUserForNameMinCount) then
			repeat until askUserForNameCount is equal to askUserForNameMinCount
				if askUserForNameCount is not equal to askUserForNameMinCount then
					
					-- Asking the User for the Admin's Full Name
					set uName to my getUserNameDialog()
					if uName is not missing value then
						exit repeat
					end if
					
					if uName is not false then
						-- display dialog "User Name is correct" buttons "OK" -- UNCOMMENT FOR DEBUGGING ONLY
						set pWord to my askForAdminPassDialog()
						set chkPassword to my checkAdminPassword(uName, pWord)
						if chkPassword is not false then
							display dialog "[[ THANKS DUDE !! ]]" & return & return & "Your Password is correct" with title "Congratulations" buttons "OK" default button "OK"
						else
							display dialog "[[ ERROR !! ]]" & return & return & "Sorry Dude, Your Password is NOT correct" with title "Ooooooohhhh Noooooooo !!" buttons "OK" default button "OK"
						end if
					else
						set askUserForNameCount to (askUserForNameCount - 1)
						display dialog "[[ ERROR !! ]]" & return & return & "Wrong User Name Entered - " & askUserForNameCount & " times to try again." buttons "OK" default button "OK"
					end if
				end if
			end repeat
		end if
	end repeat
end if

-- ~~~~~~~~~~~~~ HANDLER SECTION ~~~~~~~~~~~~~

on getUserNameDialog()
	set uNameDialogResult to text returned of (display dialog "Please enter your User Name" default answer "" with title "User Name" buttons {"Cancel", "OK"} default button 1)
	if uNameDialogResult is not "" then
		set uNameDialogResultToCheck to uNameDialogResult
		set uName to (my checkIfUserNameIsAdminName(uNameDialogResultToCheck))
	end if
	return uName
end getUserNameDialog


on checkIfUserNameIsAdminName(uNameDialogResultToCheck)
	try
		set uNameToCheckAgainst to (long user name of (system info))
		considering case
			uNameDialogResultToCheck is equal to uNameToCheckAgainst
		end considering
		return result
	end try
end checkIfUserNameIsAdminName


on askForAdminPassDialog()
	set pWord to text returned of (display dialog "Please enter your Admin Password" default answer "" with title "Admin Password" buttons {"Cancel", "Give me Access"} default button 2 with hidden answer)
	return pWord
end askForAdminPassDialog


on checkAdminPassword(uName, pWord)
	do shell script "sudo -k" user name uName
	delay 1
	try
		do shell script "sudo -v" user name uName password pWord with administrator privileges
		return true
	on error e
		return false
	end try
	set pWord to ""
end checkAdminPassword

I've put a lot of work into it - BUT this Script is not ready ... when I Run this (using as it is with scptAllowUserToHaveMoreThanOneGo set to FALSE ) it should normally thank me for entering my User Name and Password but it throws an error and says that I've entered the wrong Password - something that is absolute not true. I don’t really know what I am missing here - maybe some flag in the shell command or so…

The routine for the Option "TRUE" - where I would have 3 Times a chance entering my User Name before it says goodbye and only giving me 3 times the chance to enter the correct Password when I entered my name correctly - not ready at this time because I couldn't get this to work.

maybe there is someone who can help me getting this finished and working

Greetings From Germany

Tobias

Hello Folks

Based on these two Quotes I today tried searching the web again and stumped on the fact that there is a way of getting around this. Here are the references I found:

• Scripting with sudo on Mac - by Brett Terpstra

• !# Scripting OS X - Get Password from Keychain in Shell Scripts

While i now know that there must be an entry in the keychain to retrieve the password from and that there are permissions to be set instantly in the way I want it to work - I need to figure out how to create everything on the fly that is needed and something like a cleanup to delete afterwards - because I don’t want my Admin Password permanently stored in my login Keychain.

Maybe I will make the decision to use UUID‘s for everything that could be identified from other processes. That sounds totally great to me.

But this is still not a solution - since there is the Repeat Loop option in my AppleScript. And I don’t know how I can solve this issue.

Greetings from Germany

Tobias