Posted on 06-23-2020 03:12 PM
I tried the script and it gave admin yet didn't remove it.
I checked when the script originally ran and all the files were created in the correct locations.
The only things I changed were the notification and the time.
My plan is to run the script with a policy for users that plan to install drivers and some manual updates, and other admin items while we are all working remotely and give them 24 hours to do it and just add/remove clients to the policy as needed.
We haven't trained staff for Self Service.
The script successfully granted admin on my test machine yet it didn't remove it and from what I can tell all the files that were created are gone.
I'm not sure how to troubleshoot.
Any help is greatly appreciated.
#!/bin/bash
###############################################
# This script will provide temporary admin #
# rights to a standard user right from self #
# service. First it will grab the username of #
# the logged in user, elevate them to admin #
# and then create a launch daemon that will #
# count down from 30 minutes and then create #
# and run a secondary script that will demote #
# the user back to a standard account. The #
# launch daemon will continue to count down #
# no matter how often the user logs out or #
# restarts their computer. #
###############################################
#############################################
# find the logged in user and let them know #
#############################################
currentUser=$(who | awk '/console/{print $1}')
echo $currentUser
# osascript -e 'display dialog "You now have administrative rights for 30 minutes. DO NOT ABUSE THIS PRIVILEGE..." buttons {"Make me an admin, please"} default button 1'
#########################################################
# write a daemon that will let you remove the privilege #
# with another script and chmod/chown to make #
# sure it'll run, then load the daemon #
#########################################################
#Create the plist
sudo defaults write /Library/LaunchDaemons/removeAdmin.plist Label -string "removeAdmin"
#Add program argument to have it run the update script
sudo defaults write /Library/LaunchDaemons/removeAdmin.plist ProgramArguments -array -string /bin/sh -string "/Library/Application Support/JAMF/removeAdminRights.sh"
#Set the run inverval to run every 7 days
sudo defaults write /Library/LaunchDaemons/removeAdmin.plist StartInterval -integer 86400
#Set run at load
sudo defaults write /Library/LaunchDaemons/removeAdmin.plist RunAtLoad -boolean yes
#Set ownership
sudo chown root:wheel /Library/LaunchDaemons/removeAdmin.plist
sudo chmod 644 /Library/LaunchDaemons/removeAdmin.plist
#Load the daemon
launchctl load /Library/LaunchDaemons/removeAdmin.plist
sleep 10
#########################
# make file for removal #
#########################
if [ ! -d /private/var/userToRemove ]; then
mkdir /private/var/userToRemove
echo $currentUser >> /private/var/userToRemove/user
else
echo $currentUser >> /private/var/userToRemove/user
fi
##################################
# give the user admin privileges #
##################################
/usr/sbin/dseditgroup -o edit -a $currentUser -t user admin
########################################
# write a script for the launch daemon #
# to run to demote the user back and #
# then pull logs of what the user did. #
########################################
cat << 'EOF' > /Library/Application Support/JAMF/removeAdminRights.sh
if [[ -f /private/var/userToRemove/user ]]; then
userToRemove=$(cat /private/var/userToRemove/user)
echo "Removing $userToRemove's admin privileges"
/usr/sbin/dseditgroup -o edit -d $userToRemove -t user admin
rm -f /private/var/userToRemove/user
launchctl unload /Library/LaunchDaemons/removeAdmin.plist
rm /Library/LaunchDaemons/removeAdmin.plist
log collect --last 30m --output /private/var/userToRemove/$userToRemove.logarchive
fi
EOF
exit 0
Posted on 06-23-2020 11:05 PM
Hi @llitz123 ,
I'm not sure setting the StartInterval for 24 hours would be ideal in this situation. Since you are requiring reboots etc, the LaunchDaemons might only run after 24 hours of continuously being on. From what I have observed, most LaunchDaemons that run past an hour usually utilize a RunAtLoad or KeepAlive option key.
It may be better to instead capture the current time and schedule the LaunchDaemon to run 24 hours later using the StartCalendarInterval option instead.
Alternatively, the Privileges.app may be better suited for your needs.
Posted on 06-24-2020 05:44 AM
Hi @shaquir
Thanks for the info. Admittedly I'm not to proficient with any of these components.
I will amend my expirations and process and try and shorter window and look into Priveleges.app.
Thanks.
Posted on 06-29-2020 12:30 PM
Well a new fun wrinkle. The script somehow eventually finished. I checked in JAMF for test user who had admin and they no longer have it. I have no idea when the action took place and the test machine is remote without easy access so I may never know. It was definitely longer than 24 hours....
Posted on 06-30-2020 06:17 AM
Hi @llitz123,
I'd guess the machine eventually had an uptime of 24 hours which would have triggered the launchDaemon script to demote the user.
If you'd like to ensure it runs exactly 24 hours later, you could test adding this to your script:
#Place current hour and minute into a variable
hour=$(date +"%H")
minute=$(date +"%M")
#Set the run interval to run once daily at the same time
defaults write /Library/LaunchDaemons/removeAdmin.plist StartCalendarInterval -dict Hour -int $hour Minute -int $minute
This should allow the demotion of the user's account to happen the same time on following day (as long as the machine is on at that time). It's set to run on a daily basis, but once it runs, it will be deleted so it shouldn't be an issue.
Posted on 06-30-2020 06:27 AM
Hi @shaquir
I get it now!
Thanks so much for your insight and assistance.
Should your code replace this in the script?:
#Set the run inverval to run every 7 days
sudo defaults write /Library/LaunchDaemons/removeAdmin.plist StartInterval -integer 86400
I'll test with the new info.
Thanks.
Posted on 06-30-2020 07:36 AM
While probably redundant, it'd be fine if you keep that line since the cleanup script will only run once.
Also, to further ensure it doesn't run immediately, probably unlikely, but you could change the minute to the top of the hour:
minute="0"