sgmills/PrivilegesDemoter

admin_to_exclude function from script not working

Gitchiel opened this issue · 2 comments

Hi, we have this deployed in a test setup util now, it would be perfect if we can run it productively - I noticed though, our local admin (lAdmin) user gets demoted, although he's set as exclude in the variable admin_to_exclude.
The problem is, he can't be elevated back with Privileges.app, since I limited the use of the app to one other user account, where it might be needed from time to time (tadmin).
I know it's possible to deploy systems without local admins, but it's a management decision; in our case having a fix local admin account, as well as an account for certain situations / depts., which doesn't have elevated rights by default (tadmin), would make most sense.
Of course I can elevate him over ssh, but obviously we prefer not to do this every 15 min.

Could it be due to the upper case "A" character, so similarly as described for Privileges.app itself, in this issue: SAP/macOS-enterprise-privileges#15 ?

The admin exclusion is simply grabbing the current user and if that matches the admin_to_exclude variable the script exits.

What does this command return when you're logged in as IAdmin?

scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }'

Setting admin_to_exclude to that exact output should get things working. Let me know if it does not and I am happy to investigate further.

Ok, for now I decided to simply change the lAdmin >> ladmin in Prestage settings of the relevant site, works fine now... When I find the time, I'll test this with the lAdmin later and update here, thanks so far!