Lately I saw a post on JAMF’s user forums with someone wanting to give temporary admin access to their users for a set amount of time. This reminded me that I had such a script and that I should share it with the world. So here you go!
The script basically takes an argument with numbers only, where it gives the currently logged-in user admin powers for a set amount of time. It even has an “exit trap” to detect that, if the script is stopped prematurely, the user will be removed from the admin group (if the computer shuts, down, etc). This is in case the user tries to exploit this script in order to keep their admin access.
#!/bin/bash
if [[ ! $(whoami) = "root" ]];then echo "Must be root.";exit 1;fi
curUser="$(ls -l /dev/console | awk '{ print $3 }')"
retval=9001
_x=9001
numtest='^[0-9]+
arg=$1
# For JAMF Users you'll want to capture the 3rd argument instead.
# uncomment the following line to do that
#arg=$3
if ! [[ -z $arg ]];then
if [[ $arg =~ $numtest ]];then
sleeptimer=$arg
else
sleeptimer=40
fi
else
sleeptimer=40
fi
isUserAnAdmin () {
if [[ $(dscl . read /Groups/admin GroupMembership | grep -oq "${curUser}";echo $?) -eq 0 ]];then
true
else
false
fi
}
grant_admin () {
dscl . append /Groups/admin GroupMembership "${curUser}"
}
deny_admin () {
dscl . delete /Groups/admin GroupMembership "${curUser}" >/dev/null 2>&1
}
exit_script () {
if isUserAnAdmin;then
deny_admin
fi
}
if isUserAnAdmin;then
exit
else
grant_admin
trap exit_script SIGINT SIGTERM
sleep ${sleeptimer}
deny_admin
fi
exit $?