-
Notifications
You must be signed in to change notification settings - Fork 2
/
checkAdmin.sh
96 lines (61 loc) · 2.4 KB
/
checkAdmin.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
#!/bin/bash
# Travelling Tech Guy - 6th of March 2019
# Proof of concept - use at own risk!
# This script is an attempt to add a little enforcement to return to standard privileges when using the SAP privileges app
# The SAP Privileges project page:
# https://github.com/SAP/macOS-enterprise-privileges
# set time limit (set to 5 minutes for testing)
timeLimit="5"
logFile="/usr/local/bin/.lastAdminCheck.txt"
timeStamp=$(date +%s)
# check if file exists
if [ -f $logFile ]; then
echo "File ${logFile} exists."
else
echo "File ${logFile} does NOT exists"
touch $logFile
echo $timeStamp > $logFile
fi
# grab the logged in user
loggedInUser=$(/usr/bin/python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "\n");')
# check if the user is admin
if [[ $("/usr/sbin/dseditgroup" -o checkmember -m $loggedInUser admin / 2>&1) =~ "yes" ]]; then
echo "User is Admin... keeping an eye on him/her!"
userType="Admin"
else
echo "User is not admin... bye bye"
userType="Standard"
rm $logFile
exit
fi
# process Admin time
if [[ $userType = "Admin" ]]; then
oldTimeStamp=$(head -1 ${logFile})
rm $logFile
touch $logFile
echo $timeStamp > $logFile
adminTime=$(($timeStamp - $oldTimeStamp))
echo "Admin time in seconds: " $adminTime
adminTimeMinutes=$(($adminTime / 60))
echo "Admin time in minutes: " $adminTimeMinutes
fi
echo "Time Limit is: " $timeLimit
# if user is admin for more than the time limit, ask if to confirm need for superpowers
if [[ "$adminTimeMinutes" -ge $timeLimit ]]; then
confirmAdmin=`/usr/bin/osascript <<EOT
tell application "Finder"
activate
set myReply to button returned of (display dialog "Do you still need Admin Super Power?" buttons {"Yes", "No"} default button 2)
end tell
EOT`
fi
# take action
if [[ "$confirmAdmin" == "No" ]]; then
echo "Demoting the user!"
/usr/local/bin/jamf displayMessage -message "OK, Admin rights revoked"
# Demote the user
sudo -u $loggedInUser /Applications/Privileges.app/Contents/Resources/PrivilegesCLI --remove
fi
if [[ "$confirmAdmin" == "Yes" ]]; then
/usr/local/bin/jamf displayMessage -message "OK, but use them wisely you must - Yoda"
fi