Insert a Script

You can control scripts using the Script application type. System administrators can apply Application Rules on scripts to allow installation and management of development tools; for example, Homebrew.

Supported script types include:

  • bash (.sh)
  • ruby (.rb)
  • python (.py - xattr)

Matching criteria is case sensitive.

  1. Select the Application Group you want to add the script control to.
  2. Right-click and select Insert Application > Script.
  3. Enter a File or Folder Name.
  4. Enter a description or accept the default and click Next. You can leave the Description blank to match on all scripts.
  5. You must configure the matching criteria for the binary. You can configure:
    • File or Folder Name Matches
    • File Hash (SHA-1 Fingerprint)
    • Command Line Arguments
    • Parent Process Matches
  6. Click Finish. The script is added to the Application Group.

The Homebrew installer is a shell script which users can download to their machine and run. This script internally uses sudo to create folders on the system and set their ownership/permissions to be accessible by the installing user, reducing the need for further privileged sudo operations when users want to install packages.

Prepare a script

The current installation script for Homebrew must be modified slightly to work with Privilege Management for Mac.

To achieve this, create a script that contains the following:

#!/bin/bash
# Remember the current directory so we can return to it when removing temporary files
readonly basedir=$(pwd)
# Download the latest brew install script using curl
curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh -o install.sh
# The following command modifies the install.sh script, creating a backup of the original
# as install.sh.bak, and does the following modifications
# - replaces occurrences of "/usr/bin/sudo" with just "sudo" to allow customers using
# the non-Apple sudo to continue
# - Inserts a line "HAVE_SUDO_ACCESS=0" near the top of the file. This bypasses the
# built-in have_sudo_access feature with the expectation that the PMFM plugin policy is
# correctly configured to match this script
sed -i .bak -e 's^/usr/bin/sudo^sudo^g' -e $'s^set -u^set -u\\\nHAVE_SUDO_ACCESS=0^' install.sh
source install.sh
cd "${basedir}"
rm install.sh
rm install.sh.bak

If you make no modifications to the script above, this results in a shasum with value 3d2843e993c36dc0705466f84fb668095d7803ab.

Add the Script to Policy

To create a rule to match this script in the Policy Editor:

  1. Create an Application Group to add the script control.
  2. Right-click and select Insert Application > Script.
  3. Enter * as the file or folder name, as you're matching explicitly on hash.
  4. Enter a description of User Homebrew Installation.
  5. Set the File Hash value to 3d2843e993c36dc0705466f84fb668095d7803ab.
  6. Ensure this file hash is the same as the script you prepared earlier, in case you made any custom modifications.

  1. Click Finish. The script is added to the Application Group.

Add a sudo Command for Homebrew to Policy

In the same Application Group:

  1. Right-click and select Insert Application > Sudo Command.
  2. Enter * to represent any sudo command.
  3. Enter a description or accept the default, and click Next.
  4. Configure the Parent Process Matches to be the group which you are editing.
  5. This keeps the configuration of Homebrew isolated within the policy and easier to navigate. Alternatively, you can separate the Script and Sudo application definitions.

  1. Click Finish. The sudo command is added to the Application Group.

Set Up an Application Rule for Homebrew

  1. Select the Workstyle that is appropriately filtered for users you want to allow to install Homebrew.
  2. Create an application assignment for the Application Group that contains the sudo command, of type Allow Execution, with your messaging and auditing preferences.