How to apply a bash script just to one user account?
Generally speaking I manage my MAC OS X High Sierra and Mojave systems using very basic script(s) that I remotely send and apply to the entire Mac OS X system, that means all these script(s) are applied to all the users of the system. But now I have an harder challange. Each of my MAC OS X system has 3 user accounts. :(Admin Account) User1 (Admin Account) User2 and (Local Standard Account) User3.
Generally speaking if I want to send a script that only apply to the (Local Standard Account) User3 how can I do it? I was thinking with the The principle of least privilege. I know for sure that (Local Standard Account) User3 is not an admin. So, how can I tell at the beginning of the script to look and execute the script only to the (Local Standard Account) User3?
Of course (Local Standard Account) User3 (username) always change. I have more than 400 Mac OS X systems that I manage. Instead (Admin Account) User1 (Admin Account) User2 are always the same username.
All my MAC OS X systems have an agent installed. This is how I am able to execute scripts on my systems. Every time the script run thanks to the agent, it runs as ROOT.
Let's do an example scenario.
I want to create a simple text file and place this text file on the desktop of 3 Mac OS X system but just inside the (Local Standard Account) User3 Desktop
Hostname: tsmith-mac Username: administrator Username: administrator_backup Username: tsmith
Hostname: jreed-mac Username: administrator Username: administrator_backup Username: jreed
Hostname: fmontana-mac Username: administrator Username: administrator_backup Username: fmontana
Solution 1:
My understanding is that you send a script to your remote systems. You then run the script. I'm not sure what user id the script will be run under. I don't know what you want to do for that user.
You could put the following header code in a script. It figures out if the user is an admin user or a non admin user.
There are many ways to check for admin. Note: Some of the methods shown don't work. See:
https://superuser.com/questions/279891/list-all-members-of-a-group-mac-os-x
This bash script lists all members of the group admin.
group=admin;
for i in $(dscl . list /users);
do [[ $(id -nG $i | grep $group) ]] && echo $i;
done;rc=0
Distilling it down.
#!/bin/bash
# ideas from:
# https://www.symantec.com/connect/articles/mac-commands-directory-editor-dscl-and-custom-inventory
# https://superuser.com/questions/279891/list-all-members-of-a-group-mac-os-x
#
# Please note this is prototype.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
group=admin;
for i in $(dscl . list /users);
do
echo "process user ${i}"
uniqueID=$(dscl /Local/Default -read /Users/${i} UniqueID | awk '{ print $2 }')
# exclude system-created users, which have IDs below 500
if [ "${uniqueID:-0}" -ge 500 ]; then
if [[ $(id -nG $i | grep $group) ]]; then
#echo "${i} is a member of ${group}"
#-- plan english
echo "${i} is an admin user."
else
echo
#echo "${i} isn't a member of ${group}"
#-- plan english
echo "${i} is a regular user..."
# print the user's home folder
homeDirectory=$(dscl /Local/Default -read /Users/${i} NFSHomeDirectory | awk '{ print $2 }')
echo "Home directory is ${homeDirectory}"
echo
fi
fi
done
# leave a good impression on the caller
rc=0
finding if current user is an admin
echo "Current user is " ${USER}
if [[ $(id -nG ${USER} | grep "admin" ) ]]; then
echo "admin user"
else
echo "regular user"
fi