search

jamf / MakeMeAnAdmin

Provides temporary admin access for a standard user via Jamf Self Service
255 stars 65 forks source link

Logfile Issue #1

Open FredrikVirding opened 5 years ago

FredrikVirding commented 5 years ago

Hi,

I have tried this script on a Mac, and it works perfectly fine.

However, in regards to the log file script, it does create the appropriate folder in /private/var/userToRemove, and also the file.

However, the log file, named user, does not display any logs apart from the name of the user account that executed the script.

I tested the default script shown in this Github, is there anything im missing?

myoaungchit commented 4 years ago

Hi,

I have tried this script on a Mac, and it works perfectly fine.

However, in regards to the log file script, it does create the appropriate folder in /private/var/userToRemove, and also the file.

However, the log file, named user, does not display any logs apart from the name of the user account that executed the script.

I tested the default script shown in this Github, is there anything im missing?

During my testing, I am having the same issue as mentioned by @FredrikVirding. It was tested on macOS Catalina 10.15.3. There was nothing written in the log file except for the name of user account.

TC-matthew-wenger commented 4 years ago

Same problem for me, empty log file.

samuel-harvey commented 4 years ago

same - log just includes user name (Catalina), policy ran thru all steps according to logs.. waited 30 mins, user is still an admin - does the timer stop if you close the lid? Your help would be greatly appreciated :)

pirkla commented 4 years ago

So a couple things

The script the daemon runs unloads the daemon before the script finishes. This causes the script to stop when the unload command is run which means these two lines never run 

    rm /Library/LaunchDaemons/removeAdmin.plist
    log collect --last 30m --output /private/var/userToRemove/$userToRemove.logarchive

Which are the lines that remove the daemon and generate the logs. This means the next time the computer restarts the daemon will run again(to no real effect since it has no script it can run, so it's just a tiny bit of bloat) and the logs won't be collected.

The fix is to move launchctl unload /Library/LaunchDaemons/removeAdmin.plist to the bottom and change it to launchctl remove removeAdmin since the file doesn't actually exist anymore to use unload. I'll see about making a pull request or fork for this, it would be good to switch these over to bootstrap and bootout as well.

I'm confused by reports that the logs did show but with no information. Were the logs referred to .archives, or was it just a file titled "user"? The file titled user is just stored to allow the script to read what user should be demoted, the actual log will be username.logarchive.

The script will still work even if the user logs out or the lid is closed. This is because it creates a daemon which will launch itself when the computer restarts, and runs in the background not tied to a user. If the script is run with insufficient privileges I could see an issue there and it would explain why some users then see success after the device restarts since that would start the daemon again with root privileges. If you stream logs when the user should get demoted are there any prompts reporting failure, or does a sysdiagnose show any failures to run the script? That might look like this:

/usr/bin/log stream --debug --predicate 'subsystem == "com.apple.TCC" AND eventMessage BEGINSWITH "AttributionChain"'

Also note it's easy to get a false positive from the ui if a user is an admin or not. You'd have to close system preference entirely and open it again to be sure you're seeing updated info.

samuel-harvey commented 4 years ago

@pirkla thank you! amazing reply 👍

jrouthier commented 4 years ago

@pirkla So far everything with the script is working for me, with the exception of the log. The .logarchive file is created, Finder is showing the log is roughly 80MB, but when I open it, nothing there. I have modified the script as you suggested to have the 'launchctl remove' at the end of the script. The following is what the removeAdmin script looks like that is triggered by the LaunchDaemon

cat << 'EOF' > /Library/Application\ Support/JAMF/removeAdminRights.sh if [[ -f /private/var/userToRemove/user ]]; then userToRemove=$(cat /private/var/userToRemove/user) today=date '+%m-%d-%y%H-%M'` echo "Removing $userToRemove's admin privileges" /usr/sbin/dseditgroup -o edit -d $userToRemove -t user admin rm -f /private/var/userToRemove/user rm /Library/LaunchDaemons/removeAdmin.plist log collect --last 5m --output /private/var/userToRemove/${userToRemove}${today}.logarchive launchctl remove removeAdmin fi EOF`

hachijyuni commented 4 years ago

@jrouthier I used the edited part of script you pasted and it fixed my logging issues. (most of our Macs are on 10.15) Much appreciated!