/
create_user.sh
executable file
·123 lines (91 loc) · 3.69 KB
/
create_user.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
#!/bin/bash
USER_NAME="$1"
[ -z "$USER_NAME" ] && echo "User name required." && exit 1
FULL_NAME="Prey Anti-Theft"
SHELL="/bin/bash"
# this means user will be able to run commands as other users except root
SUDOERS_FILE="/etc/sudoers.d/50_prey_switcher"
SUDOERS_ARGS="$(which su) [A-z]*, !$(which su) root*, !$(which su) -*"
if [ "$(uname)" == "Linux" ]; then
USERS_PATH="/home"
[ -n "$(which dmidecode)" ] && SUDOERS_ARGS="$(which dmidecode), ${SUDOERS_ARGS}"
[ -n "$(which iwlist)" ] && SUDOERS_ARGS="$(which iwlist), ${SUDOERS_ARGS}"
else
USERS_PATH="/Users"
fi
SUDOERS_LINE="${USER_NAME} ALL = NOPASSWD: ${SUDOERS_ARGS}"
EXISTING_USER=$(find ${USERS_PATH} -maxdepth 1 -not -path "*/\.*" | grep -v ${USER_NAME} | tail -1 | cut -f3 -d "/")
# osx
ADMIN_GROUP_ID=80
# linux
ADMIN_GROUP=adm
if [ $EUID -ne 0 ]; then
echo "$0 must be run as root."
exit 0
fi
id $USER_NAME &> /dev/null
if [ $? -eq 0 ]; then
echo "${USER_NAME} user already exists!"
exit 0
fi
ask_confirmation() {
echo -e "\nWe will now create a user '${USER_NAME}' with (limited) impersonation privileges."
echo -e "This means he will be able to run commands on behalf of other users, in order to give Prey"
echo -e "the ability to run actions (ie. alarm, lock) or get bits of information (ie. screenshot)"
echo -e "regardless of the logged in user.\n"
echo -e "The '${USER_NAME}' user will not be able to run commands as root, however."
echo -e "Should we continue? (y/n)"
read ANSWER
[[ "$ANSWER" != 'y' && "$ANSWER" != 'yes' ]] && echo "Ok maybe some other day." && exit 1
}
create_user() {
echo "Creating a user called ${USER_NAME}"
if [ "$(uname)" == "Linux" ]; then
useradd -r -M -U -G ${ADMIN_GROUP} -s $SHELL $USER_NAME
else
# create user using dscl
# this user will be inactive and not shown on the login user selection
# since it will not have a password set.
# if you wish to remove the user later, run:
# > sudo dscl . -delete /Users/${USER_NAME}
local MAX_ID=$(dscl . -list /Users UniqueID | awk '{print $2}' | sort -ug | tail -1)
local USER_ID=$((MAX_ID+1))
[ -z "$USER_ID" ] && echo "Unable to get user id, cannot continue." && exit 1
dscl . -create /Users/${USER_NAME}
dscl . -create /Users/${USER_NAME} UserShell "${SHELL}"
dscl . -create /Users/${USER_NAME} RealName "${FULL_NAME}"
dscl . -create /Users/${USER_NAME} UniqueID "$USER_ID"
dscl . -create /Users/${USER_NAME} PrimaryGroupID "$ADMIN_GROUP_ID"
dscl . -delete /Users/${USER_NAME} AuthenticationAuthority
dscl . -create /Users/${USER_NAME} Password "*"
fi
}
grant_privileges() {
if [ -f "$SUDOERS_FILE" ]; then
echo "${USER_NAME} already seems to have impersonation privileges. Skipping..."
return 1
fi
echo "Giving ${USER_NAME} user passwordless sudo priviledges..."
[ ! -d /etc/sudoers.d ] && mkdir /etc/sudoers.d
# make sure sudo is including files in /etc/sudoers.d in its configuration
grep -q "^#includedir.*/etc/sudoers.d" /etc/sudoers || echo "#includedir /etc/sudoers.d" >> /etc/sudoers
( umask 226 && echo "${SUDOERS_LINE}" > "$SUDOERS_FILE" )
}
test_impersonation() {
echo "Testing impersonation from ${USER_NAME} to ${EXISTING_USER}..."
# the output of the following command should be the user name of $EXISTING_USER
# local output=$(sudo -u ${USER_NAME} sudo -u ${EXISTING_USER} whoami)
local output=$(sudo su ${USER_NAME} -c "sudo su ${EXISTING_USER} -c whoami")
if [[ $? -eq 0 && "$output" == "$EXISTING_USER" ]]; then
echo "It worked!"
return 0
else
echo "Whoops, didn't work. Try removing the ${USER_NAME} user and running this script again."
return 1
fi
}
# ask_confirmation
create_user
grant_privileges
test_impersonation
exit $?