pycreateuserpkg icon indicating copy to clipboard operation
pycreateuserpkg copied to clipboard

Published 20 hours ago verified publisher icon gregneagle

Replace uuid with uuidgen binutils

Open sickcodes opened this issue 3 years ago • 11 comments

Works on systems without /dev/urandom, for example, macOS recovery

Screenshot_2021-03-24_22-50-01

sickcodes avatar Mar 24 '21 22:03 sickcodes

Is Python consistently available in macOS recovery? I don't see the use-case for running the createuserpkg script in recovery.

gregneagle avatar Mar 25 '21 01:03 gregneagle

Yes it is if I'm chrooted into an installation. In any case, I don't know if urandom is inside the KVM full system I'll boot one up tomorrow and double check.

Secondly, just realized this would only work on Linux or Mac so I'll check and probably close the PR tomorrow

sickcodes avatar Mar 25 '21 01:03 sickcodes

How about a try except?

sickcodes avatar Mar 25 '21 07:03 sickcodes

I'm not sure what the larger context is that you are trying to solve problems for, so it's hard for me to react/provide advice. For me, createuserpkg is a tool a Mac admin would run under macOS (regular, not Recovery) on his/her Mac to build packages to be used in deployment/management of set of Macs.

I get the feeling that you have some more esoteric usage of this tool :-)

gregneagle avatar Mar 25 '21 21:03 gregneagle

All good I'll close this, just didn't have dev urandom on recovery 🤣

sickcodes avatar Mar 25 '21 23:03 sickcodes

OK -- I'm not at all opposed to changes as long as they don't break the main uses or make it harder to maintain.

gregneagle avatar Mar 26 '21 00:03 gregneagle

All good, I'm trying to do quite a bit automated installation from the recovery disk, in KVM, based on your work and @trodemaster too

Got read/write on Big Sur rootfs, trying to use your script to create a user in the recovery disk over chroot to skip the installation screen, pretty close so far. Will post some results when I get a bit closer 😂

image

sickcodes avatar Mar 26 '21 00:03 sickcodes

Is Python consistently available in macOS recovery? I don't see the use-case for running the createuserpkg script in recovery.

@gregneagle We did not do it exactly from the Recovery partition but I can explain a possible use scenario that may apply.

We were required by external security auditors to where possible give laptops to users with users only having a standard level user account. We did create an admin level account we used for the IT team for support use, this 'local admin' account had a random password regularly changed via Jamf Pro using a LAPS script with the password stored in Jamf Pro. Occasionally something might go wrong and the password stored in Jamf may end up no longer in sync with the actual password on the laptop. Since the user account was not an admin level account, it could not be used to reset the password back to a known value to restore the sync to Jamf. We used Jamf Connect to create the user account during DEP enrolment with Jamf Connect deciding whether to create the user as admin level or not based on information from Okta.

We could fix messed up local admin passwords if needed by booting from another drive and running the createuserpkg targeting the mounted laptop drive to install a temporary additional admin level user account and then reboot from the laptop, login as the user (to unlock FileVault) and then logout and back in as this temporary admin account and via it do the password reset of the local admin account.

We used a USB drive containing a full copy of macOS but relating to @sickcodes request hypothetically this could be done by booting from the recovery drive and running the createuserpkg stored somewhere.

We used the above method if for some additional reason the FileVault recovery key also stored in Jamf Pro also got messed up - we also regularly ran a script to change this recovery key as well. (It was much rarer for the FileVault recovery key to get messed up as this used a built-in Jamf command.)

jelockwood avatar Mar 26 '21 00:03 jelockwood

You can install a pkg created with pycreateuserpkg when running the Recovery OS today. This has worked for years. You cannot run the tool to create these packages in Recovery, which is a very uncommon need.

gregneagle avatar Mar 26 '21 00:03 gregneagle

You can install a pkg created with pycreateuserpkg when running the Recovery OS today. This has worked for years. You cannot run the tool to create these packages in Recovery, which is a very uncommon need.

Thanks for the clarification, I would agree creating the pkg is not a typical need.

jelockwood avatar Mar 26 '21 00:03 jelockwood

You can mount the macOS volume and export mountpoint/usr/bin to get python etc.

curl the script and pipe to bash to run arbitrary shell scripts without writable recovery disk without storing on disk.

I'm also attempting to write to TCC.db with SQLite for full disk permissions


# curl 192.168.1.2/csr.sh | bash
csrutil authenticated-root disable ;
csrutil disable ;
reboot ;

# curl 192.168.1.2/mount.sh | bash
mkdir -p ./mnt ;
diskutil umount /dev/disk5s5 ;
sleep 1 ;
mount -o nobrowse -t apfs "/dev/disk5s5" ./mnt ;

After rootfs writes on Big Sur need to create APFS snapshot

This code is out of order but I'm in mobile and want to get the code up:

image

sickcodes avatar Mar 26 '21 00:03 sickcodes