0

I am currently trying to find out if there is a way to hardcode the password that subsequentially shows up after the bash script below is ran. The idea is we deploy this via our MDM solution and then run it and it removes the user from having the local admin privileges on our Macs.

#!/bin/bash

loggedInUser=`/usr/bin/stat -f%Su /dev/console`

if [ "$CurrentUser" == "root"  ] || [ "$CurrentUser" == "localadmin" ] ; then
  exit 0
fi

#removes user from the admin group (post-uninstall)
sudo dseditgroup -o edit -d Username -t user admin
MarrixRed
  • 57
  • 6
  • 1
    _Can_ you do it? Yes, and the duplicate describes how. _Is it a good idea?_ Absolutely, positively not. – Charles Duffy Jun 29 '21 at 16:42
  • 1
    If you control the system, you can make its `/etc/sudoers` have a directive that makes this command _not require_ any password to be run. Or you can have root's `authorized_keys` specify a public key to be allowed to run this specific command (and only this command, no others!) using only the corresponding RSA private key for authentication. Or you can install a setuid binary for the same purposes. Lots of options that don't require making root's password world-readable (or at least, readable by whatever user account you would be running this with). – Charles Duffy Jun 29 '21 at 16:43
  • BTW, `==` is not guaranteed to work as a string comparison operator in `[ ]`; the only operator standardized for the purpose is `=` -- see https://pubs.opengroup.org/onlinepubs/9699919799/utilities/test.html. bash's built-in implementation supports `==`, but if your script is run with `sh` instead of `bash` that won't necessarily be the case. – Charles Duffy Jun 29 '21 at 16:49

0 Answers0