grahampugh · May 20, 2020 13:56
diff --git a/privileges-time-limited-elevation.sh b/privileges-time-limited-elevation.sh
 #!/bin/bash

 ## Privileges time-limited elevation
 ## v. 0.1 - G. Pugh 2020-05-20

 # Sets admin privileges for defined number of minutes
 duration_minutes=$4

 # Privileges installer policy trigger name
 policy_trigger_name="Privileges-install"

 elevation_duration=$(($duration_minutes * 60))
 start_interval=$(($elevation_duration + 10))

 # get console user so we can run the script as that user
 consoleuser=$(scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }')

 abort() {
  printf "%s\n" "$@"
  exit 1
 }

 have_sudo_access() {
  if [[ $(whoami) != "root" ]]; then
    abort "Need sudo access!"
  fi
 }

 # check sudo access - will abort if not running as root
 have_sudo_access

 # is the Privileges app installed?
 [[ -d "/Applications/Privileges.app" ]] || /usr/local/jamf/bin/jamf policy -event "$policy_trigger_name"

 sleep 1

 # Write script to tmp location
 tmp_location="/tmp/privileges"

 echo "#!/bin/bash
 su -l $consoleuser -c \"/Applications/Privileges.app/Contents/Resources/PrivilegesCLI --add\"

 # now wait for the designated number of minutes
 sleep $elevation_duration

 # now remove privileges
 su -l $consoleuser -c \"/Applications/Privileges.app/Contents/Resources/PrivilegesCLI --remove\"

 # finally delete this file
 rm -f $tmp_location
 " > "$tmp_location"

 chmod 775 "$tmp_location"

 echo "Runner written to $tmp_location"

 # now run the script in the background so the jamf policy can end
 "$tmp_location" &

 # write the LaunchAgent that ensures privileges are returned to standard on login
 LaunchAgentLocation="/Library/LaunchAgents/corp.sap.privileges.plist"

 echo '<?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
 	<key>Label</key>
 	<string>corp.sap.privileges</string>
 	<key>ProgramArguments</key>
 	<array>
 		<string>/Applications/Privileges.app/Contents/Resources/PrivilegesCLI</string>
 		<string>--remove</string>
 	</array>
 	<key>RunAtLoad</key>
 	<true/>
 	<key>LimitLoadToSessionType</key>
 	<string>Aqua</string>
 </dict>
 </plist>' > "$LaunchAgentLocation"

 launchctl load -w "$LaunchAgentLocation"
	#!/bin/bash

	## Privileges time-limited elevation
	## v. 0.1 - G. Pugh 2020-05-20

	# Sets admin privileges for defined number of minutes
	duration_minutes=$4

	# Privileges installer policy trigger name
	policy_trigger_name="Privileges-install"

	elevation_duration=$(($duration_minutes * 60))
	start_interval=$(($elevation_duration + 10))

	# get console user so we can run the script as that user
	consoleuser=$(scutil <<< "show State:/Users/ConsoleUser" \| awk '/Name :/ && ! /loginwindow/ { print $3 }')

	abort() {
	printf "%s\n" "$@"
	exit 1
	}

	have_sudo_access() {
	if [[ $(whoami) != "root" ]]; then
	abort "Need sudo access!"
	fi
	}

	# check sudo access - will abort if not running as root
	have_sudo_access

	# is the Privileges app installed?
	[[ -d "/Applications/Privileges.app" ]] \|\| /usr/local/jamf/bin/jamf policy -event "$policy_trigger_name"

	sleep 1

	# Write script to tmp location
	tmp_location="/tmp/privileges"

	echo "#!/bin/bash
	su -l $consoleuser -c \"/Applications/Privileges.app/Contents/Resources/PrivilegesCLI --add\"

	# now wait for the designated number of minutes
	sleep $elevation_duration

	# now remove privileges
	su -l $consoleuser -c \"/Applications/Privileges.app/Contents/Resources/PrivilegesCLI --remove\"

	# finally delete this file
	rm -f $tmp_location
	" > "$tmp_location"

	chmod 775 "$tmp_location"

	echo "Runner written to $tmp_location"

	# now run the script in the background so the jamf policy can end
	"$tmp_location" &

	# write the LaunchAgent that ensures privileges are returned to standard on login
	LaunchAgentLocation="/Library/LaunchAgents/corp.sap.privileges.plist"

	echo '<?xml version="1.0" encoding="UTF-8"?>
	<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
	<plist version="1.0">
	<dict>
	<key>Label</key>
	<string>corp.sap.privileges</string>
	<key>ProgramArguments</key>
	<array>
	<string>/Applications/Privileges.app/Contents/Resources/PrivilegesCLI</string>
	<string>--remove</string>
	</array>
	<key>RunAtLoad</key>
	<true/>
	<key>LimitLoadToSessionType</key>
	<string>Aqua</string>
	</dict>
	</plist>' > "$LaunchAgentLocation"

	launchctl load -w "$LaunchAgentLocation"