Applescript + Keychain password

[Kosta88]

Hello everyone,

 

I searched myself crazy on the net, reading the man page about security(1) and being quite a beginner, can't really pinpoint how to do this.

I want to mount my NAS drive to a folder: a movies folder on the NAS to my Movies folder on the OSX drive in the Users/Kosta. It asks for the password in the Terminal when I script that. I can however type in the password in text and save the app as run only (Option 1).

 

However, I would prefer to learn how to script a keychain password into the Applescript, without it really showing. I mean, not even sure if it makes sense, security-wise… should I just save the app as run only, or should I even bother with entering the keychain access, as in, if it's even more secure?

 

Any help would be appreciated!

[eep357]

If you just want it to mount on login, just add the folder to your login items under System Preferences>Users and Groups and it can use your existing keychain credentials to mount it automatically every time you login. Then you can have alias in Movies, or make Movies the alias. Symbolic link is also option if you want any automated content management to be done at this location i.e. Plex/Sickbeard. Also since it ties into a previous post you made, if you were to ever include a Username and Password in a script, make a new non-admin user with different password and give them permission to only those items your trying to access and use that username/password. Also when doing via shell script, whatever UNIX command is involved, if it's nothing that can cause too much havoc you can copy it from say usr/bin to /Users/You/Applications and change it's permissions in that location, then just use that location in your script. i.e. want to run nsupdate, once copied to alternate location just use the full path instead of only the command. If bulding script into an app, you can also copy same way directly into an app's resources and have your app/script use it from there.

 

Another thing, when scripting in an app, since the path to it's resources can change if you move the application to another location, you don't want to use absolute paths. Here's an expert of one I did as part of a much larger app, but it's a means to launch a shell scrpt via applescript all in self contained app. When run via applescript editor vs built in Xcode, (path to me) will change from the folder containing the script to the full script path, this is why in example "container of" is used, but testing this via script editor only it will fail.

tell application "System Events"
set Foo to (path to me) as alias
set Bar to container of Foo
set BarFoo to (POSIX path of Bar & "myshellscript.sh")
set FooBar to quoted form of BarFoo
do shell script "open " & FooBar
end tell

[Kosta88]

I am aware of putting the folder into Login Items, however this is not what I want to do. I have couple of similar folders and for some reason OSX will mix them up if I do it via Login Items. I needs to mount them, by their correct paths and to correct folders in my User folder.

 

Rest is quite Greek to me. What I did understand is I can make a normal user, but how do I give it permission only to use those folders?

 

Is it correct to understand that a shell script is simply written text document beginning with a #!/bin/sh and then having normal terminal commands, like mount, route etc? Those are the commands I am trying to automate right now (as a learning process of OSX and UNIX), and I guess those can't cause too much havoc, right? Rest I don't get, how can I copy directly into app's resources??

 

This script you wrote, what is it doing? What is a self contained app?

 

Sorry to be so blunt, I see you have taken yourself time, but I understand very little of what you wrote really.

[eep357]

I am aware of putting the folder into Login Items, however this is not what I want to do. I have couple of similar folders and for some reason OSX will mix them up if I do it via Login Items. I needs to mount them, by their correct paths and to correct folders in my User folder.

Create a symbolic link to the folder and place that link in your user folder where you want it, then add that symbolic link to your login items. OSX treats symbolic links different than an alias (shortcut) and sees them as if they were physical folder locations

 

Rest is quite Greek to me. What I did understand is I can make a normal user, but how do I give it permission only to use those folders?

If they are OSX folders, set custom permissions via File Sharing preferences. If they are on a remote server (NAS), access permissions would be handled there

 

Is it correct to understand that a shell script is simply written text document beginning with a #!/bin/sh and then having normal terminal commands, like mount, route etc?

Kinda. It needs to be set as executable. Also carriage returns and other hidden aspects of text formatting can cause issues, use TextWrangler as it plays nicer for script writing. The shebang (#!/bin/sh) is actually #!/path/to/shell, the #! is the important part and after that whatever shell your using which could be Bourne (#!/bin/sh), Bash (#!/bin/bash) or Korn (#!/bin/ksh) or any other shell your using. The commands available and how the script is written/behaves will vary depending on the shell used. Commands that are part of the shell language can't be copied/moved, but additional UNIX ones that have their own executable file can (Sorry I'm not explaining that better, you could technically move the shell to alt path, but lets not go there)

 

This script you wrote, what is it doing? What is a self contained app?

Xcode aside, any apple script can be saved as a .app via AppleScriptEditor, which will look and work like any other application. A shell script cannot be an application but can be part of one. If you RT click and show contents, inside you'll see /Contents/Resources/ and additional files and scripts that are needed to make the application work can be stored here. The script I wrote would be saved as an application, and it simply grabs another shell script from inside it's resource folder and runs it. In

set BarFoo to (POSIX path of Bar & "myshellscript.sh")

"myshellscript.sh" Can be whatever you want to run that's inside the apps resource folder. It could be another application, a package installer, whatever. In most cases here are a many different ways to accomplish the same tasks with scripting being only one of a few, and then there are a million different ways to script something. Granted I don't know all the exact details of what your doing and how all it's set up, but don't see anything that would "require" the command line every time, and therefore shouldn't require a script to accomplish. Other options would be a launch agent or daemon which is in plist format (brief explanation here) (which can also run scripts if needed) , Automator workflow, or even via Finder's login settings as mentioned earlier. Find the different ways, exact step by step, to accomplish your task manually, then based on that process, you'll be better able to decide the best and easiest way to automate it. Anything that can be done by clicking around in OSX can also be done via Applescript, even simulating keyboard presses or clicking different buttons in a window or on the menubar. If you can find a manual way of doing something that doesn't require you type username and password every single time, you can script it without need to use password there too.

 

 

Sorry to be so blunt, I see you have taken yourself time, but I understand very little of what you wrote really.

Sorry, it's really not possible to go into the level of detail that might be needed on a forum, there's very big books on this stuff I'm no expert compared to many others, know just enough to get by (or get myself into trouble)

[Kosta88]

Alright, I'll try it with the symbolic links, looks interesting, but makes me wonder: why do people say then that OSX is easier than Windows?

 

Sharing: I can give a single user a single sharing folder, that is true, but if I turn on Samba, all folders are going to be shared for some reason... I mean, I didn't try it yet, but when I go to the windows PC, and try to access my shares, even if I don't share ANY folders in the Sharing, it will show me all drives. I logged in from windows PC with my username/pwd that I set up. As I said, didn't try it yet, but is the sharing behaviour of a sharing account or normal account so, that it only shows the shared folders?

 

What really annoys me is that I can connect to the router-disk via smb://x.x.x.x via CMD+K, but it won't connect via route_smbfs command. To my understanding, these two are two same things. Or not?

 

"Sorry, it's really not possible to go into the level of detail that might be needed on a forum, there's very big books on this stuff I'm no expert compared to many others, know just enough to get by (or get myself into trouble)"

 

Ohh, yeah, very big books, lol. Not really sure I want to go THAT far. OSX is more or less "fun" for now. I installed it primarily for Logic, as it has been lost to me since they moved from PC -> MAC. And it was my all time favorite program. I was thinking of moving to OSX completely, but right now can't get one thing to work properly:

Accessing my shares under OSX from my QNAP NMP-1000P. This is the only thing holding me back. The QNAP denies any shares I access. Those same shares are accessed with same preferences under windows though! I don't really know who to blame, Qnap or Apple. However, can't go to Apple, since not really bought a mac