grahampugh/privileges-time-limited-elevation.sh

## privileges-time-limited-elevation.sh
#!/bin/bash

## Privileges time-limited elevation
## v. 0.1 - G. Pugh 2020-05-20

# Sets admin privileges for defined number of minutes
duration_minutes=$4

# Privileges installer policy trigger name
policy_trigger_name="Privileges-install"

elevation_duration=$(($duration_minutes * 60))
start_interval=$(($elevation_duration + 10))

# get console user so we can run the script as that user
consoleuser=$(scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }')

abort() {
  printf "%s\n" "$@"
  exit 1
}

have_sudo_access() {
  if [[ $(whoami) != "root" ]]; then
    abort "Need sudo access!"
  fi
}

# check sudo access - will abort if not running as root
have_sudo_access

# is the Privileges app installed?
[[ -d "/Applications/Privileges.app" ]] || /usr/local/jamf/bin/jamf policy -event "$policy_trigger_name"

sleep 1

# Write script to tmp location
tmp_location="/tmp/privileges"

echo "#!/bin/bash
su -l $consoleuser -c \"/Applications/Privileges.app/Contents/Resources/PrivilegesCLI --add\"

# now wait for the designated number of minutes
sleep $elevation_duration

# now remove privileges
su -l $consoleuser -c \"/Applications/Privileges.app/Contents/Resources/PrivilegesCLI --remove\"

# finally delete this file
rm -f $tmp_location
" > "$tmp_location"

chmod 775 "$tmp_location"

echo "Runner written to $tmp_location"

# now run the script in the background so the jamf policy can end
"$tmp_location" &

# write the LaunchAgent that ensures privileges are returned to standard on login
LaunchAgentLocation="/Library/LaunchAgents/corp.sap.privileges.plist"

echo '<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>Label</key>
	<string>corp.sap.privileges</string>
	<key>ProgramArguments</key>
	<array>
		<string>/Applications/Privileges.app/Contents/Resources/PrivilegesCLI</string>
		<string>--remove</string>
	</array>
	<key>RunAtLoad</key>
	<true/>
	<key>LimitLoadToSessionType</key>
	<string>Aqua</string>
</dict>
</plist>' > "$LaunchAgentLocation"

launchctl load -w "$LaunchAgentLocation"
	#!/bin/bash

	## Privileges time-limited elevation
	## v. 0.1 - G. Pugh 2020-05-20

	# Sets admin privileges for defined number of minutes
	duration_minutes=$4

	# Privileges installer policy trigger name
	policy_trigger_name="Privileges-install"

	elevation_duration=$(($duration_minutes * 60))
	start_interval=$(($elevation_duration + 10))

	# get console user so we can run the script as that user
	consoleuser=$(scutil <<< "show State:/Users/ConsoleUser" \| awk '/Name :/ && ! /loginwindow/ { print $3 }')

	abort() {
	printf "%s\n" "$@"
	exit 1
	}

	have_sudo_access() {
	if [[ $(whoami) != "root" ]]; then
	abort "Need sudo access!"
	fi
	}

	# check sudo access - will abort if not running as root
	have_sudo_access

	# is the Privileges app installed?
	[[ -d "/Applications/Privileges.app" ]] \|\| /usr/local/jamf/bin/jamf policy -event "$policy_trigger_name"

	sleep 1

	# Write script to tmp location
	tmp_location="/tmp/privileges"

	echo "#!/bin/bash
	su -l $consoleuser -c \"/Applications/Privileges.app/Contents/Resources/PrivilegesCLI --add\"

	# now wait for the designated number of minutes
	sleep $elevation_duration

	# now remove privileges
	su -l $consoleuser -c \"/Applications/Privileges.app/Contents/Resources/PrivilegesCLI --remove\"

	# finally delete this file
	rm -f $tmp_location
	" > "$tmp_location"

	chmod 775 "$tmp_location"

	echo "Runner written to $tmp_location"

	# now run the script in the background so the jamf policy can end
	"$tmp_location" &

	# write the LaunchAgent that ensures privileges are returned to standard on login
	LaunchAgentLocation="/Library/LaunchAgents/corp.sap.privileges.plist"

	echo '<?xml version="1.0" encoding="UTF-8"?>
	<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
	<plist version="1.0">
	<dict>
	<key>Label</key>
	<string>corp.sap.privileges</string>
	<key>ProgramArguments</key>
	<array>
	<string>/Applications/Privileges.app/Contents/Resources/PrivilegesCLI</string>
	<string>--remove</string>
	</array>
	<key>RunAtLoad</key>
	<true/>
	<key>LimitLoadToSessionType</key>
	<string>Aqua</string>
	</dict>
	</plist>' > "$LaunchAgentLocation"

	launchctl load -w "$LaunchAgentLocation"