Skip to main content
Solved

Cyber Essentials script to create a temporary separate admin account


Forum|alt.badge.img+8

Looking for some help with a script issue please.

I've written a script based on Charle Edge's https://github.com/jamf/MakeMeAnAdmin to use in a Cyber Essentials Mac build. Whilst the original script temporarily elevated the users privileges I want to create a temporary separate admin account.

Everything works well apart from the final stage (lines 50-65, labelled "# Write a script for the launch daemon to run to delete the temporary admin account if it exists, delete the launch daemon then provide feedback to user.") to cleanup the admin account. This part of the script does work when run manually so I'm thinking it's an issue with permissions and/or ownership.

Any advice would be appreciated. Thanks

#!/bin/bash ############################################### # "I need admin". # John Moore, April 2024. # Based on "MakeMeAnAdmin.sh" by Charles Edge, see https://github.com/jamf/MakeMeAnAdmin. # This Jamf Self Service script will provide the user with access to a separate admin account for 30 minutes. After 30 minutes the admin account is deleted. ############################################### # Get the current details currentUser=$(who | awk '/console/{print $1}') currentDate=$(date +"%Y-%m-%d") currentTime=$(date +"%H:%M:%S") # Define the temp admin account variables adminUser="tempadmin" adminPassword=$(openssl rand -base64 9) # Log details of use of the temp admin account in Jamf policy history echo "$currentUser has been provided with the following temporary admin credentials on $currentDate at $currentTime - $adminUser:$adminPassword" # Write a daemon that will let you remove the temp admin account with another script and chmod/chown to make sure it'll run, then load the daemon. # Create the plist sudo defaults write /Library/LaunchDaemons/removeTempAdmin.plist Label -string "removeTempAdmin" # Add program argument to have it run the update script sudo defaults write /Library/LaunchDaemons/removeTempAdmin.plist ProgramArguments -array -string /bin/sh -string "/Library/Application Support/JAMF/removeTempAdmin.sh" # Set the run inverval to run every 7 days sudo defaults write /Library/LaunchDaemons/removeTempAdmin.plist StartInterval -integer 1800 # Set run at load sudo defaults write /Library/LaunchDaemons/removeTempAdmin.plist RunAtLoad -boolean yes # Set ownership sudo chown root:wheel /Library/LaunchDaemons/removeTempAdmin.plist sudo chmod 644 /Library/LaunchDaemons/removeTempAdmin.plist # Load the daemon launchctl bootstrap system /Library/LaunchDaemons/removeTempAdmin.plist sleep 10 # Write a script for the launch daemon to run to delete the temporary admin account if it exists, delete the launch daemon then provide feedback to user. cat << 'EOF' > /Library/Application\\ Support/JAMF/removeTempAdmin.sh if id tempadmin &>/dev/null; then # Delete the temp admin user sudo sysadminctl -deleteUser tempadmin # Stop the launch daemon sudo launchctl bootout system /Library/LaunchDaemons/removeTempAdmin.plist # Delete the launch daemon sudo rm /Library/LaunchDaemons/removeTempAdmin.plist # Provide feedback to user sudo osascript -e "display dialog \\"You administrative rights have ended.\\" with title \\"Temporary Admin Account\\" buttons {\\"OK\\"} default button \\"OK\\"" fi EOF sudo chown root:wheel /Library/Application\\ Support/JAMF/removeTempAdmin.sh sudo chmod a+x /Library/Application\\ Support/JAMF/removeTempAdmin.sh # Create the temporary admin account. if id "$adminUser" &>/dev/null; then # Delete the temporary admin account if account already exists then re-create sudo sysadminctl -deleteUser "$adminUser" sudo sysadminctl -addUser "$adminUser" -password "$adminPassword" -admin else # Create the temporary admin account sudo sysadminctl -addUser "$adminUser" -password "$adminPassword" -admin fi # Display message to display the temp admin account credentials and a button to copy the password to clipboard. osascript <<EOF set dialogText to "You now have administrative rights for 30 minutes using the following credentials:" & return & return & "Username is: $adminUser" & return & "Password is: $adminPassword" & return & return & "DO NOT ABUSE THIS PRIVILEGE..." set copiedText to "$adminPassword" set theDialog to display dialog dialogText with title "Temporary Admin Account" buttons {"Copy Password to Clipboard and Close Window"} default button "Copy Password to Clipboard and Close Window" with icon POSIX file "/usr/local/JamfConnectAssets/CardiffUniversity.png" if button returned of theDialog is "Copy Password to Clipboard and Close Window" then set the clipboard to copiedText end if EOF exit 0

 

Best answer by MrMoore

MrMoore wrote:

Thanks both.
@AJPinto - The command "sysadminctl -secureTokenStatus tempadmin" returns "Secure token is DISABLED for user tempadmin".
@Ismere - I updated the IF statement in the removal script but it didn't seem to have any effect. Instead, for troubleshooting, I removed the IF statement.

The removal script is now:

# Create a removal script using tee in a HERE document tee /Library/Scripts/removeTempAdmin.sh << EOS # Delete the temp admin user #sudo sysadminctl -deleteUser tempadmin #sudo dscl . -delete /Users/tempadmin sudo jamf deleteAccount -username tempadmin -deleteHomeDirectory # Provide feedback to user sudo osascript -e "display dialog \\"You administrative rights have ended.\\" with title \\"Temporary Admin Account\\" buttons {\\"OK\\"} default button \\"OK\\"" # Bootout the launch daemon sudo launchctl bootout system /Library/LaunchDaemons/removeTempAdmin.plist # Delete the daemon sudo rm /Library/LaunchDaemons/removeTempAdmin.plist EOS

The three account deletion commands fail in the script yet all work manually via CLI. Bootout now works but the daemon isn't deleted. If delete the daemon first that will work but then bootout fails.


Managed to develop this into a basic working solution using two scripts: one to create the temp admin account along with launch agents and daemons; and a second script to delete the temp admin account.

Works well but we're interested in a more feature rich commercial solution such as Elevate24 which includes MFA, improved logging and ongoing support.

View original
Did this topic help you find an answer to your question?

5 replies

donmontalvo
Forum|alt.badge.img+36
  • Legendary Contributor
  • 4293 replies
  • April 26, 2024

#CharlesEdgeRIP


Ismere
Forum|alt.badge.img+7
  • Contributor
  • 66 replies
  • April 29, 2024

Hi,
the line

if id tempadmin &>/dev/null;

 is going to return false and will never enter the then part of the removal script.
you can check this by simplydoing a short test on your system with:

if [ id NameofExistingUser &>/dev/null ]; then echo "true" else echo "false" fi

 which just reminds one of the fact that one should always check there if statement outputs when possible


AJPinto
Forum|alt.badge.img+26
  • Legendary Contributor
  • 2717 replies
  • April 29, 2024

If the admin account you are creating inherits a Secure Token, you cannot use Jamf to delete it. To delete a Secure Token holding account, you need an account with a Secure Token. Jamf runs everything as root, which does not have a Secure token and in turn cannot modify a Secure Token holding account.

 

Though, I would question the security of creating a local admin account from CLI as the username and password can be intercepted simply enough by a malicious actor.


Forum|alt.badge.img+8
  • Author
  • New Contributor
  • 3 replies
  • April 29, 2024

Thanks both.
@AJPinto - The command "sysadminctl -secureTokenStatus tempadmin" returns "Secure token is DISABLED for user tempadmin".
@Ismere - I updated the IF statement in the removal script but it didn't seem to have any effect. Instead, for troubleshooting, I removed the IF statement.

The removal script is now:

# Create a removal script using tee in a HERE document tee /Library/Scripts/removeTempAdmin.sh << EOS # Delete the temp admin user #sudo sysadminctl -deleteUser tempadmin #sudo dscl . -delete /Users/tempadmin sudo jamf deleteAccount -username tempadmin -deleteHomeDirectory # Provide feedback to user sudo osascript -e "display dialog \\"You administrative rights have ended.\\" with title \\"Temporary Admin Account\\" buttons {\\"OK\\"} default button \\"OK\\"" # Bootout the launch daemon sudo launchctl bootout system /Library/LaunchDaemons/removeTempAdmin.plist # Delete the daemon sudo rm /Library/LaunchDaemons/removeTempAdmin.plist EOS

The three account deletion commands fail in the script yet all work manually via CLI. Bootout now works but the daemon isn't deleted. If delete the daemon first that will work but then bootout fails.


Forum|alt.badge.img+8
  • Author
  • New Contributor
  • 3 replies
  • Answer
  • June 19, 2024
MrMoore wrote:

Thanks both.
@AJPinto - The command "sysadminctl -secureTokenStatus tempadmin" returns "Secure token is DISABLED for user tempadmin".
@Ismere - I updated the IF statement in the removal script but it didn't seem to have any effect. Instead, for troubleshooting, I removed the IF statement.

The removal script is now:

# Create a removal script using tee in a HERE document tee /Library/Scripts/removeTempAdmin.sh << EOS # Delete the temp admin user #sudo sysadminctl -deleteUser tempadmin #sudo dscl . -delete /Users/tempadmin sudo jamf deleteAccount -username tempadmin -deleteHomeDirectory # Provide feedback to user sudo osascript -e "display dialog \\"You administrative rights have ended.\\" with title \\"Temporary Admin Account\\" buttons {\\"OK\\"} default button \\"OK\\"" # Bootout the launch daemon sudo launchctl bootout system /Library/LaunchDaemons/removeTempAdmin.plist # Delete the daemon sudo rm /Library/LaunchDaemons/removeTempAdmin.plist EOS

The three account deletion commands fail in the script yet all work manually via CLI. Bootout now works but the daemon isn't deleted. If delete the daemon first that will work but then bootout fails.


Managed to develop this into a basic working solution using two scripts: one to create the temp admin account along with launch agents and daemons; and a second script to delete the temp admin account.

Works well but we're interested in a more feature rich commercial solution such as Elevate24 which includes MFA, improved logging and ongoing support.


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings