forked from kc9wwh/MakeMeAdminPy
/
grantTempAdmin.py
121 lines (105 loc) · 5.69 KB
/
grantTempAdmin.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
#!/usr/bin/env python
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
#
# Copyright (c) 2017 Jamf. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
# * Neither the name of the Jamf nor the names of its contributors may be
# used to endorse or promote products derived from this software without
# specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY JAMF SOFTWARE, LLC "AS IS" AND ANY
# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL JAMF SOFTWARE, LLC BE LIABLE FOR ANY
# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
#
# This script was modified from Andrina Kelly's version presented at JNUC2013 for allowing
# a user to elevate their privelages to administrator once per day for 30 minutes.
#
# To accomplish this the following will be performed:
# - A launch daemon will be put in place in order to remove admin rights
# - Log will be written to tempAdmin.log
# - This policy in Jamf will be set to only be allowed once per day
#
# REQUIREMENTS:
# - Jamf Pro
# - Policy for enabling tempAdmin via Self Service
# - Policy to remove tempAdmin via custom trigger
# - tempAdmin.sh & removeTempAdmin.sh Scripts
#
#
# Written by: Joshua Roskos | Professional Services Engineer | Jamf
#
# Created On: June 20th, 2017
# Updated On: June 22nd, 2017
#
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# IMPORTS
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
import os, plistlib, pwd, grp, subprocess
from datetime import datetime
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# VARIABLES
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
userName = os.getlogin() # get the logged in user's name
workingDir = '/usr/local/jamfps/' # working directory for script
launchdFile = 'com.jamfps.adminremove.plist' # launch daemon file location
plistFile = 'MakeMeAdmin.plist' # launch daemon file location
tempAdminLog = 'tempAdmin.log' # script log file
adminTimer = 1800 # how long should they have admin rights for (in seconds)
policyCustomTrigger = 'adminremove' # custom trigger specified for removeTempAdmin.py policy
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# LAUNCH DAEMON
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# place launchd plist to call JSS policy to remove admin rights.
print 'Creating LaunchDaemon...'
launchDaemon = { 'Label':'com.jamfps.adminremove',
'ProgramArguments':['/usr/local/jamf/bin/jamf', 'policy', '-trigger', policyCustomTrigger],
'StartInterval':adminTimer,
}
plistlib.writePlist(launchDaemon, '/Library/LaunchDaemons/' + launchdFile)
# set the permission on the file just made.
userID = pwd.getpwnam("root").pw_uid
groupID = grp.getgrnam("wheel").gr_gid
os.chown('/Library/LaunchDaemons/' + launchdFile, userID, groupID)
os.chmod('/Library/LaunchDaemons/' + launchdFile, 0644)
# load the removal plist timer.
print 'Loading LaunchDaemon...'
subprocess.call(["launchctl", "load", "-w", '/Library/LaunchDaemons/' + launchdFile])
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# APPLICATION
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# build log files
if not os.path.exists(workingDir):
os.makedirs(workingDir)
# record user that will need to have admin rights removed
# record current existing admins
print 'Retrieving List of Current Admins...'
currentAdmins = grp.getgrnam('admin').gr_mem
print 'Updating Plist...'
plist = { 'User2Remove':userName,
'CurrentAdminUsers':currentAdmins}
plistlib.writePlist(plist, workingDir + plistFile)
# give current logged user admin rights
subprocess.call(["dseditgroup", "-o", "edit", "-a", userName, "-t", "user", "admin"])
# add log entry
log = open(workingDir + tempAdminLog, "a+")
log.write("{} - MakeMeAdmin Granted Admin Rights for {}\r\n".format(datetime.now(), userName))
log.close()
print 'Granted Admin Right to ' + userName