geoffrepoli/modify-system-preferences-authorizations.py

## modify-system-preferences-authorizations.py
#!/usr/bin/python3
'''
Modifies authorizations database to allow standard users to change select
system preferences.

A great guide to available authorization rights can be found at:
https://www.dssw.co.uk/reference/authorization-rights/index.html

USE AT YOUR OWN RISK
'''

import os
import datetime
import plistlib
import subprocess

# Path to back up current rights to
BACKUP_PATH = '/Library/Application Support/JAMF/auth_bkp'

# List of authorizations to be granted to modify
# List of authorizations to be granted to modify
RIGHTS = ['system.preferences',
          'system.preferences.network',
          'com.apple.wifi',
          'system.services.systemconfiguration.network']

# 'Level' at which to set the rights
#   - 'allow' permanently unlocks the associated preference pane(s)
#   - 'authenticate-session-owner-or-admin' requires entering credentials to
#     unlock the preference pane(s), but allows standard users to do so
RIGHT_LEVEL = 'allow'

# Store current datetime
DTNOW = datetime.datetime.now().strftime('%Y-%m-%d-%H-%M-%S')


def get_auth_right(right, format='string'):
    '''Gets the specified authorization right in plist format'''
    cmd = ['/usr/bin/security', 'authorizationdb', 'read', right]
    proc = subprocess.Popen(cmd, stdout=subprocess.PIPE,
                            stderr=subprocess.PIPE)
    out, _ = proc.communicate()
    return plistlib.loads(out)

def backup_right_plist(right):
    '''Backs up the original right definition'''
    # Construct path to backup file, then ensure the path exists
    path = os.path.join(BACKUP_PATH, DTNOW, '{}.plist'.format(right))
    directory = os.path.dirname(path)
    if not os.path.exists(directory):
        os.makedirs(directory)
    # Get the right definition as a plist
    plist = get_auth_right(right)
    # Write out the backup file
    out_plist = open(path, 'wb')
    plistlib.dump(plist, out_plist)

def set_right(right, level):
    '''Sets the specified right to "allow"'''
    cmd = ['/usr/bin/security', 'authorizationdb', 'write', right, level]
    proc = subprocess.Popen(cmd, stdout=subprocess.PIPE,
                            stderr=subprocess.PIPE)
    out, _ = proc.communicate()


def main():
    '''Main'''
    for right in RIGHTS:
        backup_right_plist(right)
        set_right(right, RIGHT_LEVEL)


if __name__ == '__main__':
    main()
	#!/usr/bin/python3
	'''
	Modifies authorizations database to allow standard users to change select
	system preferences.

	A great guide to available authorization rights can be found at:
	https://www.dssw.co.uk/reference/authorization-rights/index.html

	USE AT YOUR OWN RISK
	'''

	import os
	import datetime
	import plistlib
	import subprocess

	# Path to back up current rights to
	BACKUP_PATH = '/Library/Application Support/JAMF/auth_bkp'

	# List of authorizations to be granted to modify
	# List of authorizations to be granted to modify
	RIGHTS = ['system.preferences',
	'system.preferences.network',
	'com.apple.wifi',
	'system.services.systemconfiguration.network']

	# 'Level' at which to set the rights
	# - 'allow' permanently unlocks the associated preference pane(s)
	# - 'authenticate-session-owner-or-admin' requires entering credentials to
	# unlock the preference pane(s), but allows standard users to do so
	RIGHT_LEVEL = 'allow'

	# Store current datetime
	DTNOW = datetime.datetime.now().strftime('%Y-%m-%d-%H-%M-%S')


	def get_auth_right(right, format='string'):
	'''Gets the specified authorization right in plist format'''
	cmd = ['/usr/bin/security', 'authorizationdb', 'read', right]
	proc = subprocess.Popen(cmd, stdout=subprocess.PIPE,
	stderr=subprocess.PIPE)
	out, _ = proc.communicate()
	return plistlib.loads(out)

	def backup_right_plist(right):
	'''Backs up the original right definition'''
	# Construct path to backup file, then ensure the path exists
	path = os.path.join(BACKUP_PATH, DTNOW, '{}.plist'.format(right))
	directory = os.path.dirname(path)
	if not os.path.exists(directory):
	os.makedirs(directory)
	# Get the right definition as a plist
	plist = get_auth_right(right)
	# Write out the backup file
	out_plist = open(path, 'wb')
	plistlib.dump(plist, out_plist)

	def set_right(right, level):
	'''Sets the specified right to "allow"'''
	cmd = ['/usr/bin/security', 'authorizationdb', 'write', right, level]
	proc = subprocess.Popen(cmd, stdout=subprocess.PIPE,
	stderr=subprocess.PIPE)
	out, _ = proc.communicate()


	def main():
	'''Main'''
	for right in RIGHTS:
	backup_right_plist(right)
	set_right(right, RIGHT_LEVEL)


	if __name__ == '__main__':
	main()