Skip to content

Fix #120 - Update the mas role to use root privileges #121

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
geerlingguy merged 1 commit into from
Jan 4, 2026
Merged

Fix #120 - Update the mas role to use root privileges #121

geerlingguy merged 1 commit into from
Jan 4, 2026
+29 −13

Conversation

@glennbrown
Copy link
Contributor

@glennbrown glennbrown commented Dec 29, 2025

Fixes #120 - Switch mas role to community.general.mas module and add root privileges

This update resolves Issue #120 by migrating the mas role from old approach of using mas binary with command module to the community.general.mas module while using root privileges.

Changes:

  • Switched to using community.general.mas module
  • Added mas binary path to environment (required for remote Mac execution)
  • Updated uninstall, install, and upgrade tasks to run as root

Context:

Root privileges are now required due to upstream changes in mas 4.0.0+. From the mas project notes:

Root privileges are now necessary to install/update apps from the App Store, because Apple secured installd on macOS 26.1+, 15.7.2+ & 14.8.2+ to fix CVE-2025-43411. To simplify the code, mas 4.0.0+ requires root privileges to install/update apps for all versions of macOS, even older ones for which installd hasn't been secured. Most users are already, or soon will be, using affected macOS versions.

Root privileges were always necessary to uninstall apps from the App Store, because such apps are owned by the root user on macOS. mas 4.0.0+ will request root privileges if you run mas without them, so you needn't remember to use sudo mas uninstall … like beforehand.

Root privileges can be granted by running using sudo mas … on the command line, or, if you run mas by itself without sudo, by entering your macOS account password when prompted by mas. If you choose the latter route, the supplied password is piped directly from the terminal to an external process sudo call in the mas executable; your password is never seen by any mas code, nor is it stored in any way.

Any sudo credentials used or established by the mas executable will remain valid, pursuant to your user-configured sudo timeout settings.

@glennbrown
Changes to mas role:
d05ced5 
- Switched to using community.general.mas module
- Removal, install and upgrade all run as root
- When running on a remove mac the mas role using the community.general module cannot find the mas binary, to resolve this also adds the path to the environment.

Root privileges are now necessary to install/update apps from the App Store, because Apple secured installd on macOS 26.1+, 15.7.2+ & 14.8.2+ to fix CVE-2025-43411. To simplify the code, mas 4.0.0+ requires root privileges to install/update apps for all versions of macOS, even older ones for which installd hasn't been secured. Most users are already, or soon will be, using affected macOS versions.

Fixing deprecation warnings

When running as root we are losing the path, using environment to fix.

Fixed loop_label to label
@geerlingguy
Copy link
Owner

geerlingguy commented Jan 2, 2026

Thank you! I think I can merge this soon — but what version is the mas module added in? Might need to update https://github.com/geerlingguy/ansible-collection-mac/blob/master/meta/runtime.yml ? (or maybe not, if it's 3rd party collection...)

@glennbrown
Copy link
Contributor Author

glennbrown commented Jan 3, 2026

Thank you! I think I can merge this soon — but what version is the mas module added in? Might need to update https://github.com/geerlingguy/ansible-collection-mac/blob/master/meta/runtime.yml ? (or maybe not, if it's 3rd party collection...)

It's part of the community.general collection same as the homebrew, homebrew_cask and homebrew_tap modules. I am not entirely sure what version it was added in, but it appears to have been there for a bit.

@geerlingguy geerlingguy merged commit 6ddb5c4 into geerlingguy:master Jan 4, 2026
2 checks passed
@geerlingguy geerlingguy mentioned this pull request Jan 4, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Mas now requires root privileges

2 participants

@glennbrown @geerlingguy