If your Mac is out-of-order or you otherwise cannot download macOS from the App Store, you can still create a bootable OS X recovery USB, and you can use that to create an Installer USB.
The downloads used in this process are legal and freely avaliable - including disk images directly from Apple's IT support pages, and open source utilities for extracting and converting pkg, dmg, and HFS+.
These are only examples, for a few very common actions. You are expected to write your own rules for the rest. The syntax is regular JavaScript, but see the polkit(8) manpage for the object structure and available API. These examples are for polkit versions 106 and later, with the JS interpreter. They won't work with Debian's polkit v105.
If you don't know the action name, either run pkaction and look for anything similar:
pkaction | grep cups
...or try to perform the actual action, cancel it, then look in your system logs:
journalctl -t polkitd -n 10 | grep action
Add the following chunk to your existing ISC dhcpd.conf file.
if exists user-class and ( option user-class = "iPXE" ) {
filename "http://boot.smidsrod.lan/boot.ipxe";
}
else {
filename "undionly.kpxe";
}
(or see https://gist.github.com/4008017 for a more elaborate setup