-
Notifications
You must be signed in to change notification settings - Fork 21
/
Copy pathselfservice-add-admin.sh
104 lines (83 loc) · 3.46 KB
/
selfservice-add-admin.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
#!/bin/bash
###################################################################
#
# Script to allow users to elevate themselves to admin on any machine
# DEPLOY VIA SELF-SERVICE WITH CARE - YOU ARE GIVING ANY USER WHO RUNS
# THIS THE ABILITY TO MAKE THMSELVES AN ADMIN, EFFECTIVELY FOREVER,
# ON ANY MACHINE ON WHICH THEY CAN RUN THIS SCRIPT.
#
# Date: @@DATE
# Version: @@VERSION
# Origin: @@ORIGIN
# Released by JSS User: @@USER
#
##################################################################
USERNAME=`who |grep console| awk '{print $1}'`
LOGS='/var/admin-logs'
# create LaunchDaemon to remove admin rights
#####
echo '<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Disabled</key>
<true/>
<key>Label</key>
<string>uk.ac.ed.adminremove</string>
<key>ProgramArguments</key>
<array>
<string>/Library/Scripts/removeTempAdmin.sh</string>
</array>
<key>StartInterval</key>
<integer>900</integer>
</dict>
</plist>' > /Library/LaunchDaemons/uk.ac.ed.adminremove.plist
#####
# create admin rights removal script
#####
cat > /Library/Scripts/removeTempAdmin.sh << EOT
#!/bin/bash
USERNAME="\$(cat ${LOGS}/userToRemove)"
TIME="\$(date '+Date:%m-%d-%Y TIME:%H:%M:%S')"
/usr/sbin/dseditgroup -o edit -d $USERNAME -t user admin
echo "\$TIME REVOKED \$USERNAME" >> "${LOGS}/15minAdmin"
rm -f "${LOGS}/userToRemove"
launchctl unload -w /Library/LaunchDaemons/uk.ac.ed.adminremove.plist
rm -f /Library/LaunchDaemons/uk.ac.ed.adminremove.plist
rm -f /Library/Scripts/removeTempAdmin.sh
## What happens if nobody is logged in?
osascript -e 'display notification "Local administrator privileges have been revoked" with title "Admin Revoked"'
exit 0
EOT
# set the permission on the files just made
chown root:wheel /Library/LaunchDaemons/uk.ac.ed.adminremove.plist
chmod 644 /Library/LaunchDaemons/uk.ac.ed.adminremove.plist
chown root:wheel /Library/Scripts/removeTempAdmin.sh
chmod 755 /Library/Scripts/removeTempAdmin.sh
# enable and load the LaunchDaemon
launchctl load -w /Library/LaunchDaemons/uk.ac.ed.adminremove.plist
# build log files in /var/admin-logs
[ ! -d "${LOGS}" ] && mkdir "${LOGS}"
TIME=`date "+Date:%m-%d-%Y TIME:%H:%M:%S"`
echo $TIME " by " $USERNAME >> "${LOGS}"/15minAdmin
# note the user
echo $USERNAME >> "${LOGS}"/userToRemove
# give current logged user admin rights
/usr/sbin/dseditgroup -o edit -a $USERNAME -t user admin
# notify
# Get OS version
OSVersion=`defaults read loginwindow SystemVersionStampAsString | awk -F "." '{print $2}' `
if [ $OSVersion -le 14 ]; then
/Library/Application\ Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType utility -icon /Applications/Utilities/Keychain\ Access.app/Contents/Resources/Keychain_Unlocked.png -heading 'Admin Rights Granted' -description "
Please use responsibly.
All administrative activity is logged.
Access expires in 15 minutes." -button1 'OK' > /dev/null 2>&1 &
exit 0
else
# Different path to system apps on 10.15+
/Library/Application\ Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType utility -icon /System/Applications/Utilities/Keychain\ Access.app/Contents/Resources/Keychain_Unlocked.png -heading 'Admin Rights Granted' -description "
Please use responsibly.
All administrative activity is logged.
Access expires in 15 minutes." -button1 'OK' > /dev/null 2>&1 &
exit 0
fi