Last active
June 18, 2023 03:55
-
-
Save homebysix/6aa2326a741d330a4b0a3c767a1321e1 to your computer and use it in GitHub Desktop.
macos-authdb-mechs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# This Jamf extension attribute returns the mechanism entry index number | |
# (starting with zero) if Escrow Buddy is present in the authorization database | |
# login mechanisms, or "-1" otherwise. | |
MECHANISM="Escrow Buddy:Invoke,privileged" | |
security authorizationdb read system.login.console 2>/dev/null > /tmp/auth.db | |
INDEX=$(/usr/libexec/PlistBuddy -c "Print :mechanisms:" /tmp/auth.db 2>/dev/null | grep -n "<string>$MECHANISM</string>" | awk -F ":" '{print $1}') | |
if [ -z $INDEX ]; then | |
# Return -1 if mechanism is not in array | |
INDEX="-1" | |
else | |
# Adjust for extra lines of output at beginning of array | |
INDEX=$((INDEX-2)) | |
fi | |
echo "<result>$INDEX</result>" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# This Jamf extension attribute returns "Configured" if Escrow Buddy is present | |
# in the authorization database login mechanisms, or "Not Configured" otherwise. | |
MECHANISM="Escrow Buddy:Invoke,privileged" | |
if security authorizationdb read system.login.console 2>/dev/null | grep -q "<string>$MECHANISM</string>"; then | |
echo "<result>Configured</result>" | |
else | |
echo "<result>Not Configured</result>" | |
fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
### | |
# | |
# Name: ModifyAuthDBLoginMechs.sh | |
# Description: This script provides functions that can help Mac IT | |
# administrators modify and maintain the list of | |
# login mechanisms in the macOS authorization database. | |
# For details see: | |
# https://www.elliotjordan.com/posts/macos-authdb-mechs | |
# Author: Elliot Jordan <elliot@elliotjordan.com> | |
# Created: 2023-06-17 | |
# Last Modified: 2023-06-17 | |
# Version: 1.0.0 | |
# | |
### | |
# Temporary directory for storage of authorization database files | |
AUTH_DB="/tmp/system.login.console.plist" | |
# Check execution context (root required) | |
if [[ $EUID -ne 0 ]]; then | |
echo "ERROR: Please run this script as root." | |
exit 1 | |
fi | |
############################ FUNCTION: CheckAuthDB ############################ | |
# Checks current loginwindow auth database for entry specified by parameter 1. | |
CheckAuthDB() { | |
/usr/bin/security authorizationdb read system.login.console 2>/dev/null > "$AUTH_DB" | |
if grep -q "<string>$1</string>" "$AUTH_DB"; then | |
echo "$1 is configured in the authorization database." | |
return | |
fi | |
echo "$1 is not configured in the authorization database." | |
return 1 | |
} | |
############################ FUNCTION: BackupAuthDB ########################### | |
# Create a backup copy of the auth database at the path specified by $AUTH_DB | |
BackupAuthDB() { | |
if [[ -f "$AUTH_DB" ]]; then | |
/usr/bin/security authorizationdb read system.login.console 2>/dev/null > "$AUTH_DB" | |
fi | |
cp "$AUTH_DB" "$AUTH_DB.backup" | |
return | |
} | |
######################## FUNCTION: ValidateAuthDBEntry ######################## | |
# Validates the format of entry prior to modifying the authorization database | |
ValidateAuthDBEntry() { | |
if ! grep -qE '^[^,:]+:[^,:]+(,privileged)?$' <<< "$1"; then | |
echo "ERROR: Specified right is not formatted correctly: $1" | |
exit 1 | |
fi | |
} | |
############################ FUNCTION: AddToAuthDB ############################ | |
# Add an entry before/after another entry | |
# The entry to add is specified by parameter 1 | |
# "before" or "after" is specified by parameter 2 | |
# The existing entry to use for placement is specified by parameter 3 | |
AddToAuthDB() { | |
ValidateAuthDBEntry "$1" | |
INDEX=$(/usr/libexec/PlistBuddy -c "Print :mechanisms:" "$AUTH_DB" 2>/dev/null | grep -n "$3" | awk -F ":" '{print $1}') | |
if [[ -z $INDEX ]]; then | |
echo "ERROR: Unable to find $3 in authorization database." | |
exit 1 | |
fi | |
# Adjust index to account for PlistBuddy output format | |
if [[ "$2" == "before" ]]; then | |
INDEX=$((INDEX-2)) | |
elif [[ "$2" == "after" ]]; then | |
INDEX=$((INDEX-1)) | |
else | |
echo "ERROR: AddToAuthDB requires parameter 2 to be 'before' or 'after'." | |
exit 1 | |
fi | |
# Insert mechanism relative to parameter 3 | |
echo "Adding $1 to authorization database $2 $3..." | |
/usr/libexec/PlistBuddy -c "Add :mechanisms:$INDEX string '$1'" "$AUTH_DB" | |
# Save authorization database changes | |
if ! security authorizationdb write system.login.console 2>/dev/null < "$AUTH_DB"; then | |
echo "ERROR: Unable to save changes to authorization database." | |
exit 1 | |
fi | |
echo "$1 successfully configured in macOS authorization database." | |
} | |
########################## FUNCTION: RemoveFromAuthDB ######################### | |
# Remove mechanism specified by parameter 1 from authorization database | |
RemoveFromAuthDB() { | |
INDEX=$(/usr/libexec/PlistBuddy -c "Print :mechanisms:" "$AUTH_DB" 2>/dev/null | grep -n "$1" | awk -F ":" '{print $1}') | |
if [[ -z $INDEX ]]; then | |
echo "$1 is not configured in the authorization database." | |
return | |
fi | |
# Adjust index to account for PlistBuddy output format | |
INDEX=$((INDEX-2)) | |
# Remove mechanism | |
/usr/libexec/PlistBuddy -c "Delete :mechanisms:$INDEX" "$AUTH_DB" | |
# Save authorization database changes | |
echo "Removing $1 from authorization database..." | |
if ! security authorizationdb write system.login.console 2>/dev/null < "$AUTH_DB"; then | |
echo "ERROR: Unable to save changes to authorization database." | |
exit 1 | |
fi | |
} | |
################################ USAGE EXAMPLES ############################### | |
# The commented examples below demonstrate how to use the functions above. | |
# Example 1: Check authorization database for Escrow Buddy entry. | |
# If present, remove it. | |
# | |
# MECHANISM="Escrow Buddy:Invoke,privileged" | |
# if CheckAuthDB "$MECHANISM"; then | |
# BackupAuthDB | |
# RemoveFromAuthDB "$MECHANISM" | |
# fi | |
# Example 2: Check authorization database for Escrow Buddy entry. | |
# If absent, add it before loginwindow:done. | |
# | |
# MECHANISM="Escrow Buddy:Invoke,privileged" | |
# if ! CheckAuthDB "$MECHANISM"; then | |
# BackupAuthDB | |
# AddToAuthDB "$MECHANISM" "before" "loginwindow:done" | |
# fi | |
# Example 3: Check authorization database for Crypt entries. | |
# If any are absent, re-add them before loginwindow:done. | |
# | |
# MECHANISM1="Crypt:Check,privileged" | |
# MECHANISM2="Crypt:CryptGUI" | |
# MECHANISM3="Crypt:Enablement,privileged" | |
# if ! CheckAuthDB "$MECHANISM1" || ! CheckAuthDB "$MECHANISM2" || ! CheckAuthDB "$MECHANISM3"; then | |
# BackupAuthDB | |
# CheckAuthDB "$MECHANISM1" && RemoveFromAuthDB "$MECHANISM1" | |
# CheckAuthDB "$MECHANISM2" && RemoveFromAuthDB "$MECHANISM2" | |
# CheckAuthDB "$MECHANISM3" && RemoveFromAuthDB "$MECHANISM3" | |
# AddToAuthDB "$MECHANISM1" "before" "loginwindow:done" | |
# AddToAuthDB "$MECHANISM2" "before" "loginwindow:done" | |
# AddToAuthDB "$MECHANISM3" "before" "loginwindow:done" | |
# fi | |
# Example 4: Remove all Crypt entries from authorization database. | |
# | |
# MECHANISM1="Crypt:Check,privileged" | |
# MECHANISM2="Crypt:CryptGUI" | |
# MECHANISM3="Crypt:Enablement,privileged" | |
# BackupAuthDB | |
# CheckAuthDB "$MECHANISM1" && RemoveFromAuthDB "$MECHANISM1" | |
# CheckAuthDB "$MECHANISM2" && RemoveFromAuthDB "$MECHANISM2" | |
# CheckAuthDB "$MECHANISM3" && RemoveFromAuthDB "$MECHANISM3" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment