Skip to main content
Question

User permissions script/launch daemon


Forum|alt.badge.img+9
  • Valued Contributor
  • 131 replies

Could anyone assist with combining these two scripts; one to temporarily promote the logged in user (used from MakeMeAdmin) and the other is to demote that user and any potential accounts that were created or elevated during their temporary admin. 

 

Promote - 

#!/bin/bash ############################################### # This script will provide temporary admin # # rights to a standard user right from self # # service. First it will grab the username of # # the logged in user, elevate them to admin # # and then create a launch daemon that will # # count down from 30 minutes and then create # # and run a secondary script that will demote # # the user back to a standard account. The # # launch daemon will continue to count down # # no matter how often the user logs out or # # restarts their computer. # ############################################### ############################################# # find the logged in user and let them know # ############################################# currentUser=$(who | awk '/console/{print $1}') echo $currentUser ######################################################### # write a daemon that will let you remove the privilege # # with another script and chmod/chown to make # # sure it'll run, then load the daemon # ######################################################### #Create the plist sudo defaults write /Library/LaunchDaemons/removeAdmin.plist Label -string "removeAdmin" #Add program argument to have it run the update script sudo defaults write /Library/LaunchDaemons/removeAdmin.plist ProgramArguments -array -string /bin/sh -string "/Library/Application Support/TestFolder/removeAdminRights.sh" #Set the run inverval to run every 7 days sudo defaults write /Library/LaunchDaemons/removeAdmin.plist StartInterval -integer 180 #Set run at load sudo defaults write /Library/LaunchDaemons/removeAdmin.plist RunAtLoad -boolean yes #Set ownership sudo chown root:wheel /Library/LaunchDaemons/removeAdmin.plist sudo chmod 644 /Library/LaunchDaemons/removeAdmin.plist #Load the daemon launchctl load /Library/LaunchDaemons/removeAdmin.plist sleep 10 ######################### # make file for removal # ######################### if [ ! -d /private/var/userToRemove ]; then mkdir /private/var/userToRemove echo $currentUser >> /private/var/userToRemove/user else echo $currentUser >> /private/var/userToRemove/user fi ################################## # give the user admin privileges # ################################## /usr/sbin/dseditgroup -o edit -a $currentUser -t user admin ######################################## # write a script for the launch daemon # # to run to demote the user back and # # then pull logs of what the user did. # ######################################## cat << 'EOF' > /Library/Application\\ Support/TestFolder/removeAdminRights.sh if [[ -f /private/var/userToRemove/user ]]; then userToRemove=$(cat /private/var/userToRemove/user) echo "Removing $userToRemove's admin privileges" /usr/sbin/dseditgroup -o edit -d $userToRemove -t user admin rm -f /private/var/userToRemove/user launchctl unload /Library/LaunchDaemons/removeAdmin.plist rm /Library/LaunchDaemons/removeAdmin.plist log collect --last 3m --output /private/var/userToRemove/$userToRemove.logarchive fi EOF #prompt osascript -e 'display dialog "You now have administrative privileges for 3 minutes." buttons {"OK"} default button 1' exit 0

 

 

Demote All Users - 

#!/bin/sh logfile="/var/log/FixLocalAdmin.log" log () { echo $1 echo $(date "+%Y-%m-%d %H:%M:%S: ") $1 >> $logfile } adminUsers=$(dscl . -read Groups/admin GroupMembership | cut -c 18-) for user in $adminUsers do if [ "$user" != "root" ] && [ "$user" != "jssadmin" ] then dseditgroup -o edit -d $user -t user admin if [ $? = 0 ]; then log "Removed user $user from admin group"; fi else log "Admin user $user left alone" fi done

 

4 replies

mm2270
Forum|alt.badge.img+16
  • Legendary Contributor
  • 7880 replies
  • September 9, 2022

Why do you want to combine them exactly? They are 2 separate (but related) scripts for a reason since they're used at different times.


Forum|alt.badge.img+9
  • Author
  • Valued Contributor
  • 131 replies
  • September 9, 2022
mm2270 wrote:

Why do you want to combine them exactly? They are 2 separate (but related) scripts for a reason since they're used at different times.


I think I explained it briefly, the first one will promote a standard user for X time and demote that same user, the second script will run a check for other admin accounts and demote, in case the user created or promotes other local accounts. Thinks like the privileges app do not meet our needs either.


mm2270
Forum|alt.badge.img+16
  • Legendary Contributor
  • 7880 replies
  • September 9, 2022
walt wrote:

I think I explained it briefly, the first one will promote a standard user for X time and demote that same user, the second script will run a check for other admin accounts and demote, in case the user created or promotes other local accounts. Thinks like the privileges app do not meet our needs either.


OK, I think I see what you're after. You would want to edit this section in the first script:

if [[ -f /private/var/userToRemove/user ]]; then userToRemove=$(cat /private/var/userToRemove/user) echo "Removing $userToRemove's admin privileges" /usr/sbin/dseditgroup -o edit -d $userToRemove -t user admin rm -f /private/var/userToRemove/user launchctl unload /Library/LaunchDaemons/removeAdmin.plist rm /Library/LaunchDaemons/removeAdmin.plist log collect --last 3m --output /private/var/userToRemove/$userToRemove.logarchive fi

 

To this:

if [[ -f /private/var/userToRemove/user ]]; then userToRemove=$(cat /private/var/userToRemove/user) echo "Removing $userToRemove's admin privileges" /usr/sbin/dseditgroup -o edit -d $userToRemove -t user admin rm -f /private/var/userToRemove/user launchctl unload /Library/LaunchDaemons/removeAdmin.plist rm /Library/LaunchDaemons/removeAdmin.plist log collect --last 3m --output /private/var/userToRemove/$userToRemove.logarchive adminUsers=$(dscl . -read Groups/admin GroupMembership | cut -c 18-) for user in $adminUsers; do if [ "$user" != "root" ] && [ "$user" != "jssadmin" ]; then dseditgroup -o edit -d $user -t user admin if [ $? = 0 ]; then log "Removed user $user from admin group" fi else log "Admin user $user left alone" fi done fi

 

You can also add this section to the top of the script somewhere so the log command will work

logfile="/var/log/FixLocalAdmin.log" log () { echo $1 echo $(date "+%Y-%m-%d %H:%M:%S: ") $1 >> $logfile }

 


Forum|alt.badge.img+9
  • Author
  • Valued Contributor
  • 131 replies
  • September 9, 2022
mm2270 wrote:

OK, I think I see what you're after. You would want to edit this section in the first script:

if [[ -f /private/var/userToRemove/user ]]; then userToRemove=$(cat /private/var/userToRemove/user) echo "Removing $userToRemove's admin privileges" /usr/sbin/dseditgroup -o edit -d $userToRemove -t user admin rm -f /private/var/userToRemove/user launchctl unload /Library/LaunchDaemons/removeAdmin.plist rm /Library/LaunchDaemons/removeAdmin.plist log collect --last 3m --output /private/var/userToRemove/$userToRemove.logarchive fi

 

To this:

if [[ -f /private/var/userToRemove/user ]]; then userToRemove=$(cat /private/var/userToRemove/user) echo "Removing $userToRemove's admin privileges" /usr/sbin/dseditgroup -o edit -d $userToRemove -t user admin rm -f /private/var/userToRemove/user launchctl unload /Library/LaunchDaemons/removeAdmin.plist rm /Library/LaunchDaemons/removeAdmin.plist log collect --last 3m --output /private/var/userToRemove/$userToRemove.logarchive adminUsers=$(dscl . -read Groups/admin GroupMembership | cut -c 18-) for user in $adminUsers; do if [ "$user" != "root" ] && [ "$user" != "jssadmin" ]; then dseditgroup -o edit -d $user -t user admin if [ $? = 0 ]; then log "Removed user $user from admin group" fi else log "Admin user $user left alone" fi done fi

 

You can also add this section to the top of the script somewhere so the log command will work

logfile="/var/log/FixLocalAdmin.log" log () { echo $1 echo $(date "+%Y-%m-%d %H:%M:%S: ") $1 >> $logfile }

 


thank you, yeah I wasn't sure where to add the lookup for the existing admins. it seemed when I tried to do the if statement for the existing admins it wasn't added in correctly. ill mess around with this a bit more. alternatively it worked as two separate scripts but the timing was off.


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings