How to apply a bash script just to one user account?

Generally speaking I manage my MAC OS X High Sierra and Mojave systems using very basic script(s) that I remotely send and apply to the entire Mac OS X system, that means all these script(s) are applied to all the users of the system. But now I have an harder challange. Each of my MAC OS X system has 3 user accounts. :(Admin Account) User1 (Admin Account) User2 and (Local Standard Account) User3.

Generally speaking if I want to send a script that only apply to the (Local Standard Account) User3 how can I do it? I was thinking with the The principle of least privilege. I know for sure that (Local Standard Account) User3 is not an admin. So, how can I tell at the beginning of the script to look and execute the script only to the (Local Standard Account) User3?

Of course (Local Standard Account) User3 (username) always change. I have more than 400 Mac OS X systems that I manage. Instead (Admin Account) User1 (Admin Account) User2 are always the same username.

All my MAC OS X systems have an agent installed. This is how I am able to execute scripts on my systems. Every time the script run thanks to the agent, it runs as ROOT.

Let's do an example scenario.

I want to create a simple text file and place this text file on the desktop of 3 Mac OS X system but just inside the (Local Standard Account) User3 Desktop

Hostname: tsmith-mac Username: administrator Username: administrator_backup Username: tsmith

Hostname: jreed-mac Username: administrator Username: administrator_backup Username: jreed

Hostname: fmontana-mac Username: administrator Username: administrator_backup Username: fmontana


Solution 1:

My understanding is that you send a script to your remote systems. You then run the script. I'm not sure what user id the script will be run under. I don't know what you want to do for that user.

You could put the following header code in a script. It figures out if the user is an admin user or a non admin user.

There are many ways to check for admin. Note: Some of the methods shown don't work. See:

https://superuser.com/questions/279891/list-all-members-of-a-group-mac-os-x

This bash script lists all members of the group admin.

group=admin;
for i in $(dscl . list /users);
  do [[ $(id -nG $i | grep $group) ]] && echo $i;
done;rc=0 

Distilling it down.

#!/bin/bash
# ideas from:
# https://www.symantec.com/connect/articles/mac-commands-directory-editor-dscl-and-custom-inventory
# https://superuser.com/questions/279891/list-all-members-of-a-group-mac-os-x
#
# Please note this is prototype.
#
#       THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR  
#       IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,  
#       FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE  
#       AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER  
#       LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,  
#       OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE  
#       SOFTWARE.

group=admin;
for i in $(dscl . list /users);
  do
    echo "process user ${i}"
    uniqueID=$(dscl  /Local/Default -read /Users/${i} UniqueID | awk '{ print $2 }')

    # exclude system-created users, which have IDs below 500
    if [ "${uniqueID:-0}" -ge 500 ]; then
      if  [[ $(id -nG $i | grep $group) ]]; then 
        #echo "${i} is a member of ${group}"
        #-- plan english
        echo "${i} is an admin user."
      else
        echo
        #echo "${i} isn't a member of ${group}"
        #-- plan english
        echo "${i} is a regular user..."
        # print the user's home folder
        homeDirectory=$(dscl  /Local/Default -read /Users/${i} NFSHomeDirectory | awk '{ print $2 }')
        echo "Home directory is ${homeDirectory}"
        echo
     fi
    fi
done
# leave a good impression on the caller
rc=0

finding if current user is an admin

  echo "Current user is " ${USER}
    if [[ $(id -nG ${USER} | grep "admin" ) ]]; then
      echo "admin user"
    else
      echo "regular user"
    fi