Looking for some help with a script issue please.
I've written a script based on Charle Edge's https://github.com/jamf/MakeMeAnAdmin to use in a Cyber Essentials Mac build. Whilst the original script temporarily elevated the users privileges I want to create a temporary separate admin account.
Everything works well apart from the final stage (lines 50-65, labelled "# Write a script for the launch daemon to run to delete the temporary admin account if it exists, delete the launch daemon then provide feedback to user.") to cleanup the admin account. This part of the script does work when run manually so I'm thinking it's an issue with permissions and/or ownership.
Any advice would be appreciated. Thanks
#!/bin/bash
###############################################
# "I need admin".
# John Moore, April 2024.
# Based on "MakeMeAnAdmin.sh" by Charles Edge, see https://github.com/jamf/MakeMeAnAdmin.
# This Jamf Self Service script will provide the user with access to a separate admin account for 30 minutes. After 30 minutes the admin account is deleted.
###############################################
# Get the current details
currentUser=$(who | awk '/console/{print $1}')
currentDate=$(date +"%Y-%m-%d")
currentTime=$(date +"%H:%M:%S")
# Define the temp admin account variables
adminUser="tempadmin"
adminPassword=$(openssl rand -base64 9)
# Log details of use of the temp admin account in Jamf policy history
echo "$currentUser has been provided with the following temporary admin credentials on $currentDate at $currentTime - $adminUser:$adminPassword"
# Write a daemon that will let you remove the temp admin account with another script and chmod/chown to make sure it'll run, then load the daemon.
# Create the plist
sudo defaults write /Library/LaunchDaemons/removeTempAdmin.plist Label -string "removeTempAdmin"
# Add program argument to have it run the update script
sudo defaults write /Library/LaunchDaemons/removeTempAdmin.plist ProgramArguments -array -string /bin/sh -string "/Library/Application Support/JAMF/removeTempAdmin.sh"
# Set the run inverval to run every 7 days
sudo defaults write /Library/LaunchDaemons/removeTempAdmin.plist StartInterval -integer 1800
# Set run at load
sudo defaults write /Library/LaunchDaemons/removeTempAdmin.plist RunAtLoad -boolean yes
# Set ownership
sudo chown root:wheel /Library/LaunchDaemons/removeTempAdmin.plist
sudo chmod 644 /Library/LaunchDaemons/removeTempAdmin.plist
# Load the daemon
launchctl bootstrap system /Library/LaunchDaemons/removeTempAdmin.plist
sleep 10
# Write a script for the launch daemon to run to delete the temporary admin account if it exists, delete the launch daemon then provide feedback to user.
cat << 'EOF' > /Library/Application\\ Support/JAMF/removeTempAdmin.sh
if id tempadmin &>/dev/null; then
# Delete the temp admin user
sudo sysadminctl -deleteUser tempadmin
# Stop the launch daemon
sudo launchctl bootout system /Library/LaunchDaemons/removeTempAdmin.plist
# Delete the launch daemon
sudo rm /Library/LaunchDaemons/removeTempAdmin.plist
# Provide feedback to user
sudo osascript -e "display dialog \\"You administrative rights have ended.\\" with title \\"Temporary Admin Account\\" buttons {\\"OK\\"} default button \\"OK\\""
fi
EOF
sudo chown root:wheel /Library/Application\\ Support/JAMF/removeTempAdmin.sh
sudo chmod a+x /Library/Application\\ Support/JAMF/removeTempAdmin.sh
# Create the temporary admin account.
if id "$adminUser" &>/dev/null; then
# Delete the temporary admin account if account already exists then re-create
sudo sysadminctl -deleteUser "$adminUser"
sudo sysadminctl -addUser "$adminUser" -password "$adminPassword" -admin
else
# Create the temporary admin account
sudo sysadminctl -addUser "$adminUser" -password "$adminPassword" -admin
fi
# Display message to display the temp admin account credentials and a button to copy the password to clipboard.
osascript <<EOF
set dialogText to "You now have administrative rights for 30 minutes using the following credentials:" & return & return & "Username is: $adminUser" & return & "Password is: $adminPassword" & return & return & "DO NOT ABUSE THIS PRIVILEGE..."
set copiedText to "$adminPassword"
set theDialog to display dialog dialogText with title "Temporary Admin Account" buttons {"Copy Password to Clipboard and Close Window"} default button "Copy Password to Clipboard and Close Window" with icon POSIX file "/usr/local/JamfConnectAssets/CardiffUniversity.png"
if button returned of theDialog is "Copy Password to Clipboard and Close Window" then
set the clipboard to copiedText
end if
EOF
exit 0