munki-in-a-box
munki-in-a-box copied to clipboard
tbridge
Use membership of "admin" group, rather than writing to /tmp
Writing to known locations in your filesystem can be a security problem
Hi Graham,
Thanks for the PR!
Can you walk me through what the new isadmin function does? I just want to make sure I understand it before I merge it in.
So, if I understand what you're trying to do by writing the output of whoami to a file, which is that if you're an admin user (IE, in the admin group), the output is root. The id command outputs a numeric list of the groups the current user belongs to, and we look for 80, which is the groupid for admin.
Though now that I write this, I realize that id command is "recent", so reject this PR, I need to make it work with older versions of OS X 😒
Thanks, Graham
On Thu, Feb 23, 2017, 6:49 PM Tom Bridge [email protected] wrote:
Hi Graham,
Thanks for the PR!
Can you walk me through what the new isadmin function does? I just want to make sure I understand it before I merge it in.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/tbridge/munki-in-a-box/pull/22#issuecomment-282159686, or mute the thread https://github.com/notifications/unsubscribe-auth/AJF3ynSErRTnTAVbQmy2oI7BjnEs1VNdks5rfhslgaJpZM4MKpmg .
Test code for isadmin()
#!/bin/bash
LOGGER=$(which echo)
isadmin() {
if [[ -e /usr/bin/id ]]; then
echo "using id"
id -G $1 | grep -q -w 80 ;
else
echo "using groups"
groups $1 | grep -q -w admin ;
fi
}
if isadmin $(whoami) ; then
${LOGGER} "Privilege Escalation Allowed, Please Continue."
else
${LOGGER} "Privilege Escalation Denied, User Cannot Sudo."
exit 6
fi
echo "you're root"