Question

Temporary admin using self service.

Forum|Forum|12 years ago
April 3, 2013
34 replies
197 views

brockma9
New Contributor

I know there has been many discussions around giving people temporary admin. I build two scripts, one will give the user admin access and create a plist. The plist will kick off 30 minutes after it is added by the first script. The plist will run a manual JSS trigger, that will run the second script to remove the admin rights. I have posted both scripts to my github account. The links are below.

Give admin rights:
https://github.com/darklordbrock/scripts/blob/master/UW-Milwaukee/30minAdminJss.sh
Remove admin rights:
https://github.com/darklordbrock/scripts/blob/master/UW-Milwaukee/30minAdminJssRemoved.sh

Show first post

Forum|pagination.label 2 / 2

edelcastillo
New Contributor
Forum|Forum|8 years ago
May 9, 2017

I tried using this script but it never removed the admin rights. Any update on this?

jimmy-swings
Valued Contributor
Forum|Forum|8 years ago
October 11, 2017

What happens if the user adds themselves to the local sudoers when they have elevated themselves?

ebeale
Contributor
Forum|Forum|7 years ago
January 8, 2019

Changes I made/had to make.

writing out a .plist via shell redirection didn't seem to work on Mojave. Used PlistBuddy to write the .plist
switch to supported load/unload/enable/disable of LaunchDaemons
lowered time limit to 5 minutes
changed jamf binary path
substitute echo for printf
To Do: use sysadminctl instead of dseditgroup EDIT: I thought you could use sysadminctl as a drop-in replacement of dseditgroup. Guess you can't...

Note: chanded stdout and stderr variables to sout and serr, respectively. My bad.

U="$(who |grep console| awk '{ print $1 }')"
PPATH="/Library/LaunchDaemons"
PLIST="edu.uwm.uits.brockma9.adminremove.plist"
LOGDIR="/var/uits"
TIME=$(date "+Date:%m-%d-%Y TIME:%H:%M:%S")

mkadminremoved() {
    local label="$PLIST"
    local string0="/usr/local/bin/jamf"
    local string1="policy"
    local string2="-event"
    local string3="adminremove"
    local sout="$LOGDIR/${PLIST%.plist}.out"
    local serr="$LOGDIR/${PLIST%.plist}.err"

    plistbuddy() { /usr/libexec/PlistBuddy "$@"; }    

    plistbuddy -c "add :Label string $label" 
                -c "add :ProgramArguments array" 
                -c "add :ProgramArguments:0 string $string0" 
                -c "add :ProgramArguments:1 string $string1" 
                -c "add :ProgramArguments:2 string $string2" 
                -c "add :ProgramArguments:3 string $string3" 
                -c "add :StandardOutPath string $sout" 
                -c "add :StandardErrorPath string $serr" 
                -c "add :StartInterval integer 300" 
                "$PPATH"/"$PLIST"
}


# Message to user they have admin rights for 5 min. 
/usr/bin/osascript <<-EOF
    tell application "System Events"
        activate
        display dialog "You now have admin rights to this machine for 5 minutes" buttons {"Let Me at it."} default button 1
    end tell
EOF

# Create launchD service to call JSS policy to remove admin rights.
mkadminremoved

#set the permission on the file just made.
chown root:wheel "$PPATH"/"$PLIST"
chmod 644 "$PPATH"/"$PLIST"

# load the removal plist timer.
launchctl enable system/"$PLIST" "$PPATH"/"$PLIST"
launchctl bootstrap system "$PPATH"/"$PLIST"

# build log files in var/uits.
[[ ! -d "$LOGDIR" ]] && mkdir "$LOGDIR"
printf "%s
" "$TIME by $U" >> "$LOGDIR"/5minAdmin.txt
printf "%s
" "$U" >> "$LOGDIR"/userToRemove

# give current logged user admin rights
/usr/sbin/dseditgroup -o edit -a "$U" -t user admin

+10

gda
Contributor
Forum|Forum|7 years ago
January 8, 2019

I had to deal with temporary admin rights for a long time. It was everytime a nightmare.

For me, this ended with a new app from SAP: https://github.com/SAP/macOS-enterprise-privileges

ebeale
Contributor
Forum|Forum|7 years ago
January 8, 2019

And the other side...

The ugly loop was used during testing. I decided to keep it for now.

PPATH="/Library/LaunchDaemons"
PLIST="edu.uwm.uits.brockma9.adminremove.plist"


if [[ -f /var/uits/userToRemove ]]; then

    U="$(cat /var/uits/userToRemove)"

   for USER in $U; do
        printf "%s
" "removing $USER from admin group"
        /usr/sbin/dseditgroup -o edit -d "$USER" -t user admin
        printf "%s
" "$USER has been removed from admin group"
    done

    rm -f /var/uits/userToRemove

else

    printf "%s
" "going to unload"
    launchctl disable system/"$PLIST"
    launchctl bootout system/"$PLIST"
    printf "%s
" "Completed"
    rm -f /Library/LaunchDaemons/"$PLIST"

fi

ebeale
Contributor
Forum|Forum|7 years ago
January 8, 2019

@gda Nice one. Thanks.

bmee
Contributor
Forum|Forum|6 years ago
February 21, 2019

@JPDyson super new to scripting and Jamf but is there any way you can change the time to 12 hours? By the way your script works awesome! Thank You All.

ebeale
Contributor
Forum|Forum|6 years ago
February 26, 2019

@meexiong

You need to change:

<key>StartInterval</key>
    <integer>1800</integer>

Which is 1800 seconds (30 minutes). To:

<key>StartInterval</key>
    <integer>43200</integer>

Which is 43200 seconds (12 hours).

StartInterval tells this LaunchDaemon to start every N units of time. It, in-turn, executes what it is told to execute.

bmee
Contributor
Forum|Forum|6 years ago
February 28, 2019

instead of the timer counting down, can this script do an LDAP Group lookup and give the users in that specific LDAP group admin right and remove it when the user is remove from the LDAP group?

Also is there really a way to catcher the logs from the time Admin right is activated and it end?

Sorry and Thank You for all the help.

NVM it won't work the way we had it setup here. Thanks though.

Forum|pagination.label 2 / 2

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded