Run GUI Applications from Terminal with root privilege

Question

So it has been well documented that GUI applications (like gedit or textedit) should NOT be run with sudo. Ubuntu et al get gksu and gksudo (and the like) so question: what do WE (Mac users) get? Given that the Darwin kernel is built on some *BSD code, I assume the same issues apply, but how do we go around this?

Answer 1

To edit /etc/hosts with Sublime Text:
sudo /Applications/Sublime\ Text.app/Contents/MacOS/Sublime\ Text /etc/hosts

If you have to do this on the regular basis, you can add this snippet to your ~/.bash_profile

#   sudoapp: Runs .app with root privileges
#   Usage: sudoapp /Applications/Name.app /etc/hosts
#   --------------------------------------------------------------------
    sudoapp () {
        sudo "$1/Contents/MacOS/$(defaults read "$1/Contents/Info.plist" CFBundleExecutable)" $2
    }

Apps running with root privileges will use /private/var/root as home folder, thus all config and temporary files owned by root that will be created in the process will stay where they should be - in the root home directory.
This is the same as logging in as root and running the app, but without the hassle of user switching.

This method works on 10.6 — 10.11

Update: Apple's own TextEdit refuses to start if run as root in 10.11 and newer, so I changed my example to use Sublime Text instead

Answer 2

While is it possible to launch a graphical application as the root user, it is not recommended. It may work, most of the time, but avoid relying on this behaviour.

Avoid root

Running an application as root is not recommended because it dramatically increases the risk of causing problems with your Mac. The use of root should be limited to the smallest possible piece of code with strict controls in-place.

Applications are increasingly moving towards a fragmented design to avoid exposing too much power to code that does not require it.

• A mistake in code running with root permissions is a security risk.
• A mistake in code without root permissions is much less capable of causing serious problems.

There are edge cases but these are increasingly rare. The introduction of sandboxing and XPC are part of Apple's efforts to reduce the need to provide excessive authority to processes running on OS X.

Command Line Tools

If you need to work with files as root user, use command line tools such as vim, emacs, or nano. These tools do not rely on the WindowServer and can happily be launched as root within another user session:

sudo nano <path to edit>

Graphical Tools

If you prefer graphical editors, use an editor that works with the design of Mac OS X. BBEdit is an excellent editor that will correctly handle editing root owned files.

When you edit a root owned file with BBEdit, a second process is used to bridge the permissions gap between you and the owner of the file. This process passes through Apple's sanctioned paths and thus ensures a predictable experience - hopefully across multiple major versions of Mac OS X.

Why? WindowServer Limits and Design Scope

There are subtle technical problems with launching a graphical application within another user session.

The underlying technical problems stem from one user wanting to launch a graphical process within another user's session. Mac OS X's WindowServer was never designed with this as a goal. User sessions are extremely difficult to break out of even as root user – all for desirable security reasons.

Apple has dramatically improved the WindowServer design in the last few major versions of Mac OS X. It is now possible to have multiple users logged into different graphical sessions on one Mac through Screen Sharing. This seemingly simple improvement relied on a huge amount of behind the scenes effort from Apple's engineers.

However, Apple is unlikely to provide an easy way to cross launch applications as different users from within a single graphical user session. How would this benefit their customers?

If you want to explore this topic further, look for questions involving launchctl and running applications in other active user sessions.

Answer 3

There are good reasons NOT to edit files as root. Why not just copy them to a temporary file, edit this and copy back.

You could use visudo although this requires some knowledge of vi, but is OK for making simple changes to /etc/fstab or similar.

You could try setting the EDITOR environment variable and running visudo although I have never tried this with a graphic editor.

Answer 4

Sergei's answer didn't work for me on OS X 10.8.5

$ sudo /Applications/TextEdit.app/Contents/MacOS/TextEdit /etc/hosts

I got a permissions error message

Since sudoing the binary first, then double-clicking the file in Finder worked, I came up with the following less simple command

$ sudo -b /Applications/TextEdit.app/Contents/MacOS/TextEdit && sleep .5 && open -a /Applications/TextEdit.app /etc/hosts

You can make a function of it like Sergei's, if need be.