Posted on 11-09-2015 10:42 AM
This isn't directly JAMF related but may be useful to someone once it's working..?
I have a script that installs a certificate then echo's whether it's installed or not after, i'd like to add a check to the beginning to stop the script if a non Active Directory user is logged in but my Script Fu is not yet strong enough. It runs the check but i'm getting "line 5: [: andrew.may: integer expression expected" being returned, any ideas how to clean it up ?
The AD check is from @yr_joelbruner and the Cert check pinched from @ctangora, thank you!
#!/bin/sh
username=$(stat -f%Su /dev/console)
if [ "$username" -lt 1024 ]; then
echo "Non AD user - stopping script"
elif
#install cert from tmp
security add-trusted-cert -d -r trustAsRoot -k "/Users/$username/Library/Keychains/login.keychain" "/private/var/tmp/ourserver.ourdomain.com.cer"
#Check cert is installed
cert_name="ourserver.ourdomain.com"
desired_keychain="/Users/$username/Library/Keychains/login.keychain"
[[ `security find-certificate -c "$cert_name" $desired_keychain 2>/dev/null` ]]; then
echo "installed $cert_name to $username keychain"
else
echo "certificate not installed"
exit 1
fi
Posted on 11-09-2015 10:52 AM
Hi May - hope this helps. -t-
#!/bin/sh
userid=`id -u`
if [ $userid -lt 1024 ]; then
echo "Non AD user - stopping script"
exit 1
fi #fi ends, not elif to end
#install cert from tmp
security add-trusted-cert -d -r trustAsRoot -k "/Users/$username/Library/Keychains/login.keychain" "/private/var/tmp/ourserver.ourdomain.com.cer"
certExists=`security find-cert -c ourserver.ourdomain.com`
if [ -z $certExists ]; then #-z means if variable is empty
echo "Cert not installed"
else
echo "Cert is installed"
fi
Posted on 11-09-2015 10:53 AM
Try taking out the double quotes around $username in the first if statement.
Edit: And yeah, you need the UID, not the username (as mentioned below this).
Posted on 11-09-2015 10:54 AM
You are trying to compare a string to an integer. You need to add another step where you take the logged in user and get the their uid.
userID=$(id $username | awk '{print $1}' | sed 's/[^0-9]//g')
Then do your TEST on that.
EDIT: Or you could just do id -u :)
Posted on 11-09-2015 11:00 AM
As already mentioned, you have to get the user ID or UID of the account, not the name.
However, its been pointed out on other threads that technically that info can be spoofed under a local account fairly easily, so its not a 100% guarantee that its catching all local accounts. It should be safe, but I personally look for the OriginalAuthenticationAuthority key in the dscl record of the account, since only AD cached local accounts seem to contain that, and its far less likely to be spoofed over the UID.
#!/bin/sh
username=$(stat -f%Su /dev/console)
if [[ $(dscl . read /Users/$username OriginalAuthenticationAuthority 2>/dev/null) == "" ]]; then
echo "Non AD user - stopping script"
exit
else
<rest of script>.....
Posted on 11-09-2015 11:22 AM
You can take out the "S" from the stat format string
Then you get the numeric value of the user (not the String)
consoleUserID=$(stat -f %u /dev/console)
if [ "$consoleUserID" -lt 1024 ]; then
...
BTW @yr_joelbruner has been retired - long live @brunerd :]
Posted on 11-09-2015 12:53 PM
Thank you all for the input
This one now works
#!/bin/sh
username=$(stat -f%Su /dev/console)
if [[ $(dscl . read /Users/$username OriginalAuthenticationAuthority 2>/dev/null) == "" ]]; then
echo "Non AD user - stopping script"
exit
else
security add-trusted-cert -d -r trustAsRoot -k "/Users/$username/Library/Keychains/login.keychain" "/private/var/tmp/ourserver.ourdomain.com.cer"
#Check cert is installed
cert_name="ourserver.ourdomain.com"
desired_keychain="/Users/$username/Library/Keychains/login.keychain"
if [[ `security find-certificate -c "$cert_name" $desired_keychain 2>/dev/null` ]]; then
echo "installed $cert_name to $username keychain"
else
echo "certificate not installed"
exit 1
fi
fi
Vive @brunerd