Jamf Nation Community

MrMoore · ‎04-26-2024

Looking for some help with a script issue please.

I've written a script based on Charle Edge's https://github.com/jamf/MakeMeAnAdmin to use in a Cyber Essentials Mac build. Whilst the original script temporarily elevated the users privileges I want to create a temporary separate admin account.

Everything works well apart from the final stage (lines 50-65, labelled "# Write a script for the launch daemon to run to delete the temporary admin account if it exists, delete the launch daemon then provide feedback to user.") to cleanup the admin account. This part of the script does work when run manually so I'm thinking it's an issue with permissions and/or ownership.

Any advice would be appreciated. Thanks

#!/bin/bash

###############################################
# "I need admin".
# John Moore, April 2024.
# Based on "MakeMeAnAdmin.sh" by Charles Edge, see https://github.com/jamf/MakeMeAnAdmin.
# This Jamf Self Service script will provide the user with access to a separate admin account for 30 minutes. After 30 minutes the admin account is deleted.
###############################################



# Get the current details
currentUser=$(who | awk '/console/{print $1}')
currentDate=$(date +"%Y-%m-%d")
currentTime=$(date +"%H:%M:%S")

# Define the temp admin account variables
adminUser="tempadmin"
adminPassword=$(openssl rand -base64 9)

# Log details of use of the temp admin account in Jamf policy history
echo "$currentUser has been provided with the following temporary admin credentials on $currentDate at $currentTime - $adminUser:$adminPassword" 



# Write a daemon that will let you remove the temp admin account with another script and chmod/chown to make sure it'll run, then load the daemon.

# Create the plist
sudo defaults write /Library/LaunchDaemons/removeTempAdmin.plist Label -string "removeTempAdmin"

# Add program argument to have it run the update script
sudo defaults write /Library/LaunchDaemons/removeTempAdmin.plist ProgramArguments -array -string /bin/sh -string "/Library/Application Support/JAMF/removeTempAdmin.sh"

# Set the run inverval to run every 7 days
sudo defaults write /Library/LaunchDaemons/removeTempAdmin.plist StartInterval -integer 1800

# Set run at load
sudo defaults write /Library/LaunchDaemons/removeTempAdmin.plist RunAtLoad -boolean yes

# Set ownership
sudo chown root:wheel /Library/LaunchDaemons/removeTempAdmin.plist
sudo chmod 644 /Library/LaunchDaemons/removeTempAdmin.plist

# Load the daemon 
launchctl bootstrap system /Library/LaunchDaemons/removeTempAdmin.plist
sleep 10



# Write a script for the launch daemon to run to delete the temporary admin account if it exists, delete the launch daemon then provide feedback to user.
cat << 'EOF' > /Library/Application\ Support/JAMF/removeTempAdmin.sh
if id tempadmin &>/dev/null; then
    # Delete the temp admin user
    sudo sysadminctl -deleteUser tempadmin
    # Stop the launch daemon
    sudo launchctl bootout system /Library/LaunchDaemons/removeTempAdmin.plist
    # Delete the launch daemon
    sudo rm /Library/LaunchDaemons/removeTempAdmin.plist
    # Provide feedback to user
    sudo osascript -e "display dialog \"You administrative rights have ended.\" with title \"Temporary Admin Account\" buttons {\"OK\"} default button \"OK\""
fi
EOF

sudo chown root:wheel /Library/Application\ Support/JAMF/removeTempAdmin.sh
sudo chmod a+x /Library/Application\ Support/JAMF/removeTempAdmin.sh


# Create the temporary admin account.
if id "$adminUser" &>/dev/null; then
    # Delete the temporary admin account if account already exists then re-create
    sudo sysadminctl -deleteUser "$adminUser"
    sudo sysadminctl -addUser "$adminUser" -password "$adminPassword" -admin
    else
    # Create the temporary admin account
    sudo sysadminctl -addUser "$adminUser" -password "$adminPassword" -admin
fi



# Display message to display the temp admin account credentials and a button to copy the password to clipboard.
osascript <<EOF
set dialogText to "You now have administrative rights for 30 minutes using the following credentials:" & return & return & "Username is: $adminUser" & return & "Password is: $adminPassword" & return & return & "DO NOT ABUSE THIS PRIVILEGE..."
set copiedText to "$adminPassword"
set theDialog to display dialog dialogText with title "Temporary Admin Account" buttons {"Copy Password to Clipboard and Close Window"} default button "Copy Password to Clipboard and Close Window" with icon POSIX file "/usr/local/JamfConnectAssets/CardiffUniversity.png"
if button returned of theDialog is "Copy Password to Clipboard and Close Window" then
    set the clipboard to copiedText
end if
EOF

exit 0

MrMoore · ‎06-19-2024

Managed to develop this into a basic working solution using two scripts: one to create the temp admin account along with launch agents and daemons; and a second script to delete the temp admin account.

Works well but we're interested in a more feature rich commercial solution such as Elevate24 which includes MFA, improved logging and ongoing support.

View solution in original post

donmontalvo · ‎04-26-2024

#CharlesEdgeRIP

--
https://donmontalvo.com

Ismere · ‎04-29-2024

Hi,
the line

if id tempadmin &>/dev/null;

is going to return false and will never enter the then part of the removal script.
you can check this by simplydoing a short test on your system with:

if [ id NameofExistingUser &>/dev/null ]; then
echo "true"
else
echo "false"
fi

which just reminds one of the fact that one should always check there if statement outputs when possible

AJPinto · ‎04-29-2024

If the admin account you are creating inherits a Secure Token, you cannot use Jamf to delete it. To delete a Secure Token holding account, you need an account with a Secure Token. Jamf runs everything as root, which does not have a Secure token and in turn cannot modify a Secure Token holding account.

Though, I would question the security of creating a local admin account from CLI as the username and password can be intercepted simply enough by a malicious actor.

MrMoore · ‎04-29-2024

Thanks both.
@AJPinto - The command "sysadminctl -secureTokenStatus tempadmin" returns "Secure token is DISABLED for user tempadmin".
@Ismere - I updated the IF statement in the removal script but it didn't seem to have any effect. Instead, for troubleshooting, I removed the IF statement.

The removal script is now:

# Create a removal script using tee in a HERE document
tee /Library/Scripts/removeTempAdmin.sh << EOS
# Delete the temp admin user
#sudo sysadminctl -deleteUser tempadmin
#sudo dscl . -delete /Users/tempadmin
sudo jamf deleteAccount -username tempadmin -deleteHomeDirectory
# Provide feedback to user
sudo osascript -e "display dialog \"You administrative rights have ended.\" with title \"Temporary Admin Account\" buttons {\"OK\"} default button \"OK\""
# Bootout the launch daemon
sudo launchctl bootout system /Library/LaunchDaemons/removeTempAdmin.plist
# Delete the daemon
sudo rm /Library/LaunchDaemons/removeTempAdmin.plist
EOS

The three account deletion commands fail in the script yet all work manually via CLI. Bootout now works but the daemon isn't deleted. If delete the daemon first that will work but then bootout fails.

MrMoore · ‎06-19-2024

Managed to develop this into a basic working solution using two scripts: one to create the temp admin account along with launch agents and daemons; and a second script to delete the temp admin account.

Works well but we're interested in a more feature rich commercial solution such as Elevate24 which includes MFA, improved logging and ongoing support.

Jamf Nation Community

Cyber Essentials script to create a temporary separate admin account