Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Backs up authdb, then modifies them so users can modify Energy Saver, Network, Printers & Scanners, Date & Time, Time Machine
#!/usr/bin/python
'''
Modifies authorizations database to allow standard users to change select
system preferences.
A great guide to available authorization rights can be found at:
https://www.dssw.co.uk/reference/authorization-rights/index.html
USE AT YOUR OWN RISK
'''
import os
import datetime
import plistlib
import subprocess
# Path to back up current rights to
BACKUP_PATH = '/Library/Application Support/JAMF/auth_bkp'
# List of authorizations to be granted to modify
RIGHTS = ['system.preferences',
'system.preferences.datetime',
'system.preferences.timemachine',
'system.preferences.energysaver',
'system.preferences.network',
'system.preferences.printing']
# 'Level' at which to set the rights
# - 'allow' permanently unlocks the associated preference pane(s)
# - 'authenticate-session-owner-or-admin' requires entering credentials to
# unlock the preference pane(s), but allows standard users to do so
RIGHT_LEVEL = 'authenticate-session-owner-or-admin'
# Store current datetime
DTNOW = datetime.datetime.now().strftime('%Y-%m-%d-%H-%M-%S')
def get_auth_right(right, format='string'):
'''Gets the specified authorization right in plist format'''
cmd = ['/usr/bin/security', 'authorizationdb', 'read', right]
proc = subprocess.Popen(cmd, stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
out, _ = proc.communicate()
if format == 'plist':
return plistlib.readPlistFromString(out)
else:
return out
def backup_right_plist(right):
'''Backs up the original right definition'''
# Construct path to backup file, then ensure the path exists
path = os.path.join(BACKUP_PATH, DTNOW, '{}.plist'.format(right))
directory = os.path.dirname(path)
if not os.path.exists(directory):
os.makedirs(directory)
# Get the right definition as a plist
plist = get_auth_right(right)
# Write out the backup file
with open(path, 'w+') as out_plist:
out_plist.write(plist)
def set_right(right, level):
'''Sets the specified right to "allow"'''
cmd = ['/usr/bin/security', 'authorizationdb', 'write', right, level]
proc = subprocess.Popen(cmd, stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
out, _ = proc.communicate()
def main():
'''Main'''
for right in RIGHTS:
backup_right_plist(right)
set_right(right, RIGHT_LEVEL)
if __name__ == '__main__':
main()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.