|
#!/bin/bash |
|
|
|
# This script runs at boot to make sure that no new admin accounts have |
|
# been created in the interim. |
|
|
|
# Get list of admin accounts into array |
|
# These are the current admin users on the system who will be tested |
|
# to see if they are on the allowed admins list. |
|
|
|
admins=( $(dscl . -read /groups/admin | grep GroupMembership) ) |
|
|
|
# remove "GroupMembership:" from array. The way I get the values into the array also |
|
# grabs "GroupMembership and adds it to the array. Probably a better way to do this. |
|
|
|
pos=0 |
|
admins=(${admins[@]:0:$pos} ${admins[@]:$(($pos + 1))}) |
|
echo ${admins[@]} |
|
|
|
# print values in admins array to check command |
|
|
|
for h in "${admins[@]}" |
|
do |
|
echo $h |
|
done |
|
|
|
# allowed array contains a list of allowed admin users |
|
|
|
declare -a allowed=('admin' 'ardadmin' 'yehuda') |
|
|
|
# the value of adminuser indicates if the user being tested |
|
# is on the allowed list or not |
|
# a value of 0 indicates that the user being tested is not on the allowed admins list |
|
# a value of 1 indicates that the user being tested is on the allowed admins list |
|
# adminuser starts with a value of 0 and when a match is found between the user being |
|
# tested and a user on the allowed admins list, adminuser is increased by 1 |
|
|
|
declare -i adminuser=0 |
|
|
|
# loop through all admin users to test each user if it is allowed to remain admin |
|
|
|
for j in "${admins[@]}" |
|
do |
|
echo "$j" |
|
# start loop through allowed users |
|
for i in "${allowed[@]}" |
|
do |
|
echo "comparing" "$j" "with" "$i" |
|
if [ "$i" = "$j" ]; then |
|
echo "true" |
|
adminuser=$[adminuser+1] |
|
echo $adminuser |
|
# break will hopefully allow early exit from the loop |
|
# break |
|
else |
|
echo "false" |
|
echo $adminuser |
|
fi |
|
done |
|
|
|
|
|
if [ "$adminuser" = 0 ]; then |
|
echo "$j" "should be deleted" |
|
# command to delete user being tested from admins group |
|
# dscl . -delete /Groups/admin GroupMembership $j |
|
dseditgroup -o edit -d $j -t user admin |
|
dseditgroup -o edit -a $j -t user staff |
|
else |
|
echo "$j" "is on the approved admin list" |
|
fi |
|
adminuser=0 |
|
done |
|
exit 0 |