在 MacOS 中,launchd 运行的 Shell 脚本无法创建作业

tag-icon tag-icon bash mac sudo launchd at
在 MacOS 中,launchd 运行的 Shell 脚本无法创建作业

我正在使用privileges.app授予用户临时管理员权限。因为我需要通过配置启用密码验证和验证,所以我无法使用内置功能将给定权限的持续时间限制为15分钟。

因此,我创建了一个 launchd 来调用一个脚本,该脚本定期(每分钟一次)检查用户是否已添加到管理员组,如果检测到新成员,则创建一个作业以使用 atrun 降级用户。终端和 atrun 的完全磁盘访问已启用。

launchD 已正确创建,脚本也已创建并正常运行。它成功检测到管理员组中的更改并尝试为 atrun 创建作业,但不起作用。不通过 launchd 而是在终端中使用 sudo 运行相同的脚本,效果非常好。

我要做什么才能让它发挥作用?

如果相关的话,我正在通过 Mobile Iron Core 部署脚本。

脚本如下:

#!/bin/bash

# created 17.10.2023 - Manuel Frank

# create .plist to launch script and keep it running 
sudo defaults write /Library/LaunchDaemons/admincheck.plist Label -string "admincheck"

sudo defaults write /Library/LaunchDaemons/admincheck.plist ProgramArguments -array -string /bin/sh -string "/Library/Application Support/com.mobileiron.mac.agent/admincheck.sh"

sudo defaults write /Library/LaunchDaemons/admincheck.plist RunAtLoad -boolean yes

sudo defaults write /Library/LaunchDaemons/admincheck.plist KeepAlive -boolean yes

sudo chown root:wheel /Library/LaunchDaemons/admincheck.plist
sudo chmod 644 /Library/LaunchDaemons/admincheck.plist

# load .plist, sleep 10 if system is slow
launchctl load /Library/LaunchDaemons/admincheck.plist
sleep 10

# create script for .plist to launch
cat << 'EOF' > /Library/Application\ Support/com.mobileiron.mac.agent/admincheck.sh
#!/bin/bash

sleep 10

# check for local user in admin group, remove root & hidden admin account from output
localadmin=$(dscacheutil -q group -a name admin | awk '$1 == "users:" { for (i=2; i<=NF; i++) { if (($i != "root") && ($i != "admin")) { print $i } } }')

# define time after which admin user are demoted
TEMPSECONDS=900

    # while-loop to check if user have been added to admin group
    while [ -z "$localadmin" ]; do
            sleep 60
            localadmin=$(dscacheutil -q group -a name admin | awk '$1 == "users:" { for (i=2; i<=NF; i++) { if (($i != "root") && ($i != "admin")) { print $i } } }')
            localuser=$(dscl . list /Users | grep -v "^_\|daemon\|root\|nobody\|admin")  
                # admin has been found, queue job for demoting after TEMPSECONDS
                if [ -n "$localadmin" ]; then
                # Checks if atrun is launched or not 
                if ! launchctl list|grep -q com.apple.atrun; then launchctl load -w /System/Library/LaunchDaemons/com.apple.atrun.plist; fi
                # job to demote user
                echo "#!/bin/sh
                    for User in $localuser
                    do
                    /usr/sbin/dseditgroup -o edit -d $localuser -t user admin
                    done
                    
                    launchctl load /Library/LaunchDaemons/admincheck.plist
                        
                    exit $?" | at -t "$(date -v+"$TEMPSECONDS"S "+%Y%m%d%H%M.%S")"
                exit 0
                fi
    done
    
# unload .plist to ensure script is not run before job is finished. .plist will be loaded after job finishes.    
launchctl unload /Library/LaunchDaemons/admincheck.plist

exit 0

EOF

exit 0

相关内容