Jamf Nation Community

teodle · ‎01-07-2022

Just a little thing to replace our old mount share script, which had a ton of oscascript tell blocks that would generate PPPC dialog boxes for our users.

This new script has been tested and it works. If it's a Directory User, then the share just mounts. If it's a local user, then they get prompted for their AD credentials, as expected. But no matter whether the mount fails (due to user off campus and not connected to VPN) or succeeds, I always get a "usage" nag from sudo in the logs (see below). I believe I'm using sudo -u correctly. Why is it complaining?

CURRENTUSER="$(stat -f%Su /dev/console)"

SERVER=$4
SHARE=$5
PROTOCOL=smb ###for our purposes smb is the only game in town. This could be modified to be a JAMF variable if necessary. 
STRING='"'$PROTOCOL://$SERVER/$SHARE'"'

sudo -u $CURRENTUSER
if /sbin/ping -q -c 1 $SERVER &> /dev/null
then
echo "Share host $SERVER is responding. Mounting share...";
#
#
# Mount share:
/usr/bin/osascript -e "try" -e "mount volume $STRING" -e "end try"
#
exit 0
else
#
##declare variable for JAMF notifications
MA="/Library/Application Support/JAMF/bin/Management Action.app/Contents/MacOS/Management Action"
#
"$MA" -title "JAMF Management Notification" -message  "On campus users - please connect to Secure  wifi (not Guest wifi)  and try connecting again. Off campus users - please connect to VPN and try connecting again."

exit 1
fi

Script result: usage: sudo -h | -K | -k | -V
usage: sudo -v [-AknS] [-g group] [-h host] [-p prompt] [-u user]
usage: sudo -l [-AknS] [-g group] [-h host] [-p prompt] [-U user] [-u user]
            [command]
usage: sudo [-AbEHknPS] [-C num] [-D directory] [-g group] [-h host] [-p
            prompt] [-R directory] [-T timeout] [-u user] [VAR=value] [-i|-s]
            [<command>]
usage: sudo -e [-AknS] [-C num] [-D directory] [-g group] [-h host] [-p prompt]
            [-R directory] [-T timeout] [-u user] file ...

sdagley · ‎01-07-2022

@teodle You didn't actually run the line after your "sudo -u $CURRENTUSER" as $CURRENTUSER because the line ending terminates the sudo command, not causes everything afterwards to run as $CURRENTUSER. Look at the following article for a better way to run a command in the logged in user's context:

https://scriptingosx.com/2020/08/running-a-command-as-another-user/

teodle · ‎01-07-2022

@sdagley I guess the question I really want to answer is why the script (run as a Self Service Policy) does exactly what I want it to, even with the incorrect sudo usage? To me it certainly appears that it's running the script as the logged in user, not as any other user.

If a logged in directory user runs the script, it immediately mounts the share with the correct folder permissions based on that account's AD Group Membership. Just what we want.

If a local account runs it, it prompts for credentials and populates the local account name in the user field, just as it would if you manually inputted the server/share path in in Finder from Command +K. Again just what we want.

As an example, I just now created a brand new local account on this mac called "test." I logged in as test and ran the SS policy that calls the script above. Here's the result:

sdagley · ‎01-07-2022

@teodle Without doing any actual research on the issue I'd also agree it appears that the mount volume call decides to use the logged in user as the context for the mount rather than root.

Fluffy · ‎01-10-2022

I was able to replicate the same results with a script I am working on. I know the script works without sudo with the current user, so I put it a line above:

#!/bin/bash

CURRENTUSER="$(stat -f%Su /dev/console)"

sudo -u $CURRENTUSER 
if [[ $(pgrep -q -f Firefox; echo $?) -eq 0 ]]; then
	echo "Running."
fi

exit 0

It returns the echo "Running" which means the command successfully executed:

Running.
usage: sudo -h | -K | -k | -V
usage: sudo -v [-AknS] [-g group] [-h host] [-p prompt] [-u user]
usage: sudo -l [-AknS] [-g group] [-h host] [-p prompt] [-U user] [-u user]
            [command]
usage: sudo [-AbEHknPS] [-C num] [-D directory] [-g group] [-h host] [-p
            prompt] [-R directory] [-T timeout] [-u user] [VAR=value] [-i|-s]
            [<command>]
usage: sudo -e [-AknS] [-C num] [-D directory] [-g group] [-h host] [-p prompt]
            [-R directory] [-T timeout] [-u user] file ...

This is more to validate your results more than to explain them. I'm quite new to scripting, but my guess would be it has something to do with osascript and how OSA languages work. It may run as the user instead of root.

Samstar777 · ‎01-10-2022

Hello Teodle,

I believe you missed adding double quotes to your variable and forgot to add the shebang, try below :

#!/bin/bash
CURRENTUSER="$(stat -f%Su /dev/console)"

SERVER=$4
SHARE=$5
PROTOCOL=smb ###for our purposes smb is the only game in town. This could be modified to be a JAMF variable if necessary.
STRING='"'$PROTOCOL://$SERVER/$SHARE'"'

sudo -u "$CURRENTUSER"
if /sbin/ping -q -c 1 "$SERVER" &> /dev/null
then
echo "Share host $SERVER is responding. Mounting share...";
#
# Mount share:
/usr/bin/osascript -e "try" -e "mount volume $STRING" -e "end try"
#
exit 0
else
#
##declare variable for JAMF notifications
MA="/Library/Application Support/JAMF/bin/Management Action.app/Contents/MacOS/Management Action"
#
"$MA" -title "JAMF Management Notification" -message "On campus users - please connect to Secure wifi (not Guest wifi) and try connecting again. Off campus users - please connect to VPN and try connecting again."

exit 1
fi

-Sam

Jamf Nation Community

why is sudo yelling at me this script??