Skip to content

Instantly share code, notes, and snippets.

@YehudaBialik
Created August 3, 2015 13:57
Show Gist options
  • Save YehudaBialik/3a8cf25e91fa01cf3ee3 to your computer and use it in GitHub Desktop.
Save YehudaBialik/3a8cf25e91fa01cf3ee3 to your computer and use it in GitHub Desktop.
#!/bin/bash
# This script runs at boot to make sure that no new admin accounts have
# been created in the interim.
# Get list of admin accounts into array
# These are the current admin users on the system who will be tested
# to see if they are on the allowed admins list.
admins=( $(dscl . -read /groups/admin | grep GroupMembership) )
# remove "GroupMembership:" from array. The way I get the values into the array also
# grabs "GroupMembership and adds it to the array. Probably a better way to do this.
pos=0
admins=(${admins[@]:0:$pos} ${admins[@]:$(($pos + 1))})
echo ${admins[@]}
# print values in admins array to check command
for h in "${admins[@]}"
do
echo $h
done
# allowed array contains a list of allowed admin users
declare -a allowed=('admin' 'ardadmin' 'yehuda')
# the value of adminuser indicates if the user being tested
# is on the allowed list or not
# a value of 0 indicates that the user being tested is not on the allowed admins list
# a value of 1 indicates that the user being tested is on the allowed admins list
# adminuser starts with a value of 0 and when a match is found between the user being
# tested and a user on the allowed admins list, adminuser is increased by 1
declare -i adminuser=0
# loop through all admin users to test each user if it is allowed to remain admin
for j in "${admins[@]}"
do
echo "$j"
# start loop through allowed users
for i in "${allowed[@]}"
do
echo "comparing" "$j" "with" "$i"
if [ "$i" = "$j" ]; then
echo "true"
adminuser=$[adminuser+1]
echo $adminuser
# break will hopefully allow early exit from the loop
# break
else
echo "false"
echo $adminuser
fi
done
if [ "$adminuser" = 0 ]; then
echo "$j" "should be deleted"
# command to delete user being tested from admins group
# dscl . -delete /Groups/admin GroupMembership $j
dseditgroup -o edit -d $j -t user admin
dseditgroup -o edit -a $j -t user staff
else
echo "$j" "is on the approved admin list"
fi
adminuser=0
done
exit 0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment