Fix Darwin Scripts and Document Sudo

Changes: * Use sudo in service.sh for Darwin to find user services if not running as root * Fix parsing the output of softwareupdate command on Darwin in update.sh * Better document usage of sudo in docs/Sudo.md
2025-01-25 15:11:30 -05:00 · 2025-01-25 15:11:30 -05:00 · 653ee79a67
commit 653ee79a67
parent a24e4c8ee5
7 changed files with 84 additions and 18 deletions
--- a/4
+++ b/4
@ -1,2 +1,2 @@
-9.2.0.10
-9.2.0.10
+9.2.0.11
+9.2.0.11
--- a/app.manifest
+++ b/app.manifest
@ -29,7 +29,7 @@
        "id": {
            "group": null,
            "name": "TA-nix",
-            "version": "9.2.0.10"
+            "version": "9.2.0.11"
        },
        "license": {
            "name": "Splunk Software License Agreement",
--- a/bin/service.sh
+++ b/bin/service.sh
@ -128,9 +128,18 @@ elif [ "$KERNEL" = "Darwin" ] ; then
 	CMD='eval date ; ls -1 /System/Library/StartupItems/ /Library/StartupItems/'
 	# Get per-user startup items
 	# shellcheck disable=SC2044
-	for PLIST_FILE in $(find /Users -name "loginwindow.plist") ; do
-		CMD=$CMD' ; echo '$PLIST_FILE': ; defaults read '$PLIST_FILE
-	done
+	# For this to work properly when run as non-root, add a line to
+	# an /etc/sudoers.d file (eg - /etc/sudoers.d/splunk) like this:
+	#   splunk ALL=(root) NOPASSWD: /usr/bin/find /Users -name loginwindow.plist
+	if [ $(id -u) != 0 ]; then
+		for PLIST_FILE in $(sudo -n /usr/bin/find /Users -name loginwindow.plist) ; do
+			CMD=$CMD' ; echo '$PLIST_FILE': ; defaults read '$PLIST_FILE
+		done
+	else
+		for PLIST_FILE in $(/usr/bin/find /Users -name loginwindow.plist) ; do
+			CMD=$CMD' ; echo '$PLIST_FILE': ; defaults read '$PLIST_FILE
+		done
+	fi
 	# shellcheck disable=SC2016
 	PARSE_0='NR==1 {DATE=$0}'
 	# Retrieve path for system startup items
--- a/bin/update.sh
+++ b/bin/update.sh
@ -21,9 +21,9 @@ if [ "$KERNEL" = "Linux" ] ; then
 		# Without the above line, 'apt list --upgradable' will not show updated packages unless the package databases were updated outside of this script
 		# sed command here replaces '/, [, ]' with ' '
 		if [ $(id -u) != 0 ]; then
-			CMD='eval date ; sudo -n apt update > /dev/null 2>&1 ; eval apt list --upgradable | sed "s/\// /; s/\[/ /; s/\]/ /"'
+			CMD='eval date ; sudo -n /usr/bin/apt update > /dev/null 2>&1 ; eval apt list --upgradable | sed "s/\// /; s/\[/ /; s/\]/ /"'
 		else
-			CMD='eval date ; apt update > /dev/null 2>&1 ; eval apt list --upgradable | sed "s/\// /; s/\[/ /; s/\]/ /"'
+			CMD='eval date ; /usr/bin/apt update > /dev/null 2>&1 ; eval apt list --upgradable | sed "s/\// /; s/\[/ /; s/\]/ /"'
 		fi
 		# shellcheck disable=SC2016
 		PARSE_0='NR==1 {DATE=$0}'
@ -48,9 +48,9 @@ if [ "$KERNEL" = "Linux" ] ; then
 		#   splunk ALL=(root) NOPASSWD: /usr/bin/pacman -Syy
 		# Without the above line, checkupdates will not show updated packages unless the package databases were updated outside of this script (similar to Debian's apt update)
 		if [ $(id -u) != 0 ]; then
-			CMD='eval date ; eval uname -m | sed -r "s/(armv7l|aarch64)/arm64/;s/x86_64/amd64/"; sudo -n pacman -Syy > /dev/null 2>&1 ; eval checkupdates'
+			CMD='eval date ; eval uname -m | sed -r "s/(armv7l|aarch64)/arm64/;s/x86_64/amd64/"; sudo -n /usr/bin/pacman -Syy > /dev/null 2>&1 ; eval checkupdates'
 		else
-			CMD='eval date ; eval uname -m | sed -r "s/(armv7l|aarch64)/arm64/;s/x86_64/amd64/"; pacman -Syy > /dev/null 2>&1 ; eval checkupdates'
+			CMD='eval date ; eval uname -m | sed -r "s/(armv7l|aarch64)/arm64/;s/x86_64/amd64/"; /usr/bin/pacman -Syy > /dev/null 2>&1 ; eval checkupdates'
 		fi
 		# shellcheck disable=SC2016
 		PARSE_0='NR==1 {DATE=$0}'
@ -103,7 +103,7 @@ elif [ "$KERNEL" = "Darwin" ] ; then
 	assertHaveCommand date
 	assertHaveCommand softwareupdate

-	CMD='eval date ; softwareupdate -l'
+	CMD='eval date ; softwareupdate -l 2>&1 | grep -v "XType: Using static font registry"'
 	# shellcheck disable=SC2016
 	PARSE_0='NR==1 {
 		DATE=$0
@ -115,14 +115,16 @@ elif [ "$KERNEL" = "Darwin" ] ; then
 	# of the update. Otherwise, print the update.
 	# shellcheck disable=SC2016
 	PARSE_1='NR>1 && PROCESS==1 && $0 !~ /^[[:blank:]]*$/ {
-		if ( $0 ~ /^[[:blank:]]*\*/ ) {
-			PACKAGE="package=\"" $2 "\""
+		if ( $1 == "Title:" ) {
+			line = $0;
+			gsub(/^.*Title: /, "", line);
+			gsub(/, Version:.*$/, "", line);
+			PACKAGE="package=\"" line "\""
 			RECOMMENDED=""
 			RESTART=""
 			TOTAL=TOTAL+1
-		} else {
-			if ( $0 ~ /recommended/ ) { RECOMMENDED="is_recommended=\"true\"" }
-			if ( $0 ~ /restart/ ) { RESTART="restart_required=\"true\"" }
+			if ( $0 ~ /Recommended: YES/ ) { RECOMMENDED="is_recommended=\"true\"" }
+			if ( $0 ~ /Action: restart/ ) { RESTART="restart_required=\"true\"" }
 			printf "%s %s %s %s\n", DATE, PACKAGE, RECOMMENDED, RESTART
 		}
 	}'
--- a/default/app.conf
+++ b/default/app.conf
@ -17,7 +17,7 @@ docs_section_override = AddOns:released

 [launcher]
 author = Michael Erdely
-version = 9.2.0.10
+version = 9.2.0.11
 description = Technical Add-on for Unix and Linux

 #[package]
@ -26,5 +26,5 @@ description = Technical Add-on for Unix and Linux

 [id]
 name = TA-unix
-version = 9.2.0.10
+version = 9.2.0.11

--- a/docs/ReleaseNotes.md
+++ b/docs/ReleaseNotes.md
@ -1,5 +1,15 @@
 # Technical Add-on for Unix and Linux

+## Version 9.2.0.11 (2025-01-25)
+
+Fix Darwin Scripts and Document Sudo
+
+Changes:
+
+* Use sudo in service.sh for Darwin to find user services if not running as root
+* Fix parsing the output of softwareupdate command on Darwin in update.sh
+* Better document usage of sudo in docs/Sudo.md
+
 ## Version 9.2.0.10 (2025-01-25)

 Fix OpenBSD Support and Other Bugs
--- a/docs/Sudo.md
+++ b/docs/Sudo.md
@ -0,0 +1,45 @@
+# Sudo Usage
+
+Some commands may need to use sudo or doas to execute. Below is documentation
+for those cases.
+
+## MacOS/Darwin service.sh
+
+The service.sh script searches users' home directories and a splunk user does
+not have rights to do that.
+
+Create a file like /etc/sudoers.d/splunk and add:
+
+```
+splunk ALL=(root) NOPASSWD: /usr/bin/find /Users -name loginwindow.plist
+```
+
+## Docker
+
+Either add the splunk user to the docker group or run the command with sudo.
+To make sudo work, create a file like /etc/sudoers.d/splunk and add:
+
+```
+splunk ALL=(root) NOPASSWD: /usr/bin/docker stats --no-stream --no-trunc --all
+splunk ALL=(root) NOPASSWD: /usr/bin/docker ps --all --no-trunc --format *
+splunk ALL=(root) NOPASSWD: /usr/bin/docker inspect -f *
+```
+
+## Debian/Ubuntu apt update
+
+A splunk user does not have the ability to update the package cache.
+To make sudo work, create a file like /etc/sudoers.d/splunk and add:
+
+```
+splunk ALL=(root) NOPASSWD: /usr/bin/apt update
+```
+
+## Arch Linux pacman update cache
+
+A splunk user does not have the ability to update the package cache.
+To make sudo work, create a file like /etc/sudoers.d/splunk and add:
+
+```
+splunk ALL=(root) NOPASSWD: /usr/bin/pacman -Syy
+```
+