Posted on 07-28-2023 02:21 PM - last edited on 09-07-2023 07:27 AM by JoeyD
I have been working on my own "make me an admin" script. I recently got a version of this script working. It displays a Jamf Helper window with a countdown timer. When the timer runs out, the user is demoted back to standard. If the user is already an admin user, they will see a Jamf Helper window telling them that they are already an admin. These functions of the script are working exactly as they should. This morning, I added a new function. This one checks if the user created any additional admin accounts while they were an admin. The script is supposed to start out writing a list of the current admin users to a text file. After the user is demoted back to standard, the same command to write the current admin users to a text file is ran again, but with a different file name. I use a "diff" command to check the difference between the two text files with the list of admin users. When I test this new function separate from the rest of the script, my text files get created and the "diff" command does exactly what it is supposed to do. The script should create three text files: admin-1.txt, admin-2.txt, and then a file called unauthorized_admin_account.txt if another admin account was created. I was going to use an extension attribute to check for the presence of "unauthorized_admin_account.txt". For some reason, the script is not creating the text files. The policy log shows a "no such file or directory" error when the commands are ran to read the contents of the files. I'm totally open to using another method of detecting additional admin accounts. What could I be doing wrong? As I said, the commands to create the files, read their contents, and compare the differences between them work when they're used outside of the script. Here's my script below. You will see that I use a lot of echo commands. I do this so I can track each step in the script as I read the policy log. I would appreciate help on this. I know that there are a lot of other scripts available but I wanted to write one myself.
#!/bin/zsh
# Timer setting
tempSeconds="$4"
# Who is the current logged in user?
currentUser=$(/bin/ls -l /dev/console | /usr/bin/awk '{print $3}')
# Who are the current admin users?
adminUsers=$(dscacheutil -q group -a name admin | grep -e "users:" | sed -e 's/users: //' -e 's/ $//')
# Jamf Helper path
jamfHelper="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper"
# Check if the user is already an admin.
isAdmin=$(dseditgroup -o checkmember -m "$currentUser" admin | awk '{print $1}')
echo "Is "$currentUser" an admin? "$isAdmin"."
# If the user is already admin, display a message.
if [ "$isAdmin" = "yes" ]; then
echo "$currentUser is already an Admin"
"$jamfHelper" -windowType utility \
-windowPosition ur \
-title "Your Company Here" \
-heading "You are already an admin user" \
-alignHeading middle \
-description "You are already an admin user. If you are experiencing trouble please contact support." \
-alignDescription natural \
-icon "/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/UnlockedIcon.icns" \
-iconSize 36 \
-button1 "OK" \
-defaultButton 1
else
# Elevating user to admin. Writing a list of the current admin accounts to a text file to be checked later.
echo "$adminUsers" >> /private/var/tmp/MMA/admin-1.txt
echo ""$currentUser" is not an admin user"
echo "Elevating "$currentUser" to admin"
/usr/sbin/dseditgroup -o edit -a "$currentUser" -t user admin
# Display a window showing how much time is left as an admin using Jamf Helper.
echo "Displaying Jamf Helper window with timer."
"$jamfHelper" -windowType utility \
-windowPosition ur \
-title "Your Company Here" \
-heading "Temporary Admin Rights Granted" \
-alignHeading middle \
-description "Please perform your required tasks. Admin rights will be removed when the timer below ends." \
-alignDescription natural \
-icon "/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/UnlockedIcon.icns" \
-iconSize 36 \
-button1 "Done" \
-defaultButton 1 \
-timeout "$tempSeconds" \
-countdown \
-countdownPrompt "Admin rights will be removed in " \
-alignCountdown center
# Removing admin rights.
echo "Timer has ran out. Removing admin rights and running recon"
/usr/sbin/dseditgroup -o edit -d "$currentUser" -t user admin
# Checking if new admin accounts have been created while the user was granted admin rights.
echo "Checking if new admin accounts have been created."
echo "$adminUsers" >> /private/var/tmp/MMA/admin-2.txt
admin1=$(cat /private/var/tmp/MMA/admin-1.txt)
admin2=$(cat /private/var/tmp/MMA/admin-2.txt)
if [ "$admin1" != "$admin2" ]; then
newAdmin=$(diff <(echo "$admin1") <(echo "$admin2") | sed -e "s/$admin1//" | /usr/bin/awk '{print $2}' | sed '/^[[:space:]]*$/d')
echo "An unauthorized admin account has been created."
echo "$newAdmin" >> /private/var/tmp/MMA/unauthorized_admin_account.txt
else
echo "No additional admin accounts have been created."
fi
/usr/local/jamf/bin/jamf recon
fi
exit 0
Posted on 07-30-2023 11:10 AM
Hey @howie_isaacks the most likely reason for this issue is that the "MMA" folder in the path of /private/var/tmp/ doesn't exist unless you are creating it beforehand. Simply running
echo "$adminUsers" >> /private/var/tmp/MMA/admin-1.txt
in your script isn't going to create this intermediate folder. You would need to add a line like this up near the top of your script
mkdir -p "/private/var/tmp/MMA"
That way when you get to the point of trying to echo the results out to a file, it can access the directory you're pointing it to.
Posted on 07-31-2023 07:28 AM
Well duh! I can't believe I didn't think about that! I think in my initial testing, I had created the folder path first. The text files get created now but I've run into another issue that I am working on.