Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Logfile Issue #1

Open
FredrikVirding opened this issue May 14, 2019 · 7 comments
Open

Logfile Issue #1

FredrikVirding opened this issue May 14, 2019 · 7 comments

Comments

@FredrikVirding
Copy link

Hi,

I have tried this script on a Mac, and it works perfectly fine.

However, in regards to the log file script, it does create the appropriate folder in /private/var/userToRemove, and also the file.

However, the log file, named user, does not display any logs apart from the name of the user account that executed the script.

I tested the default script shown in this Github, is there anything im missing?
@myoaungchit
Copy link

myoaungchit commented Mar 20, 2020
edited
Loading

Hi,

I have tried this script on a Mac, and it works perfectly fine.

However, in regards to the log file script, it does create the appropriate folder in /private/var/userToRemove, and also the file.

However, the log file, named user, does not display any logs apart from the name of the user account that executed the script.

I tested the default script shown in this Github, is there anything im missing?

During my testing, I am having the same issue as mentioned by @FredrikVirding. It was tested on macOS Catalina 10.15.3. There was nothing written in the log file except for the name of user account.

@TC-matthew-wenger
Copy link

Same problem for me, empty log file.

@samuel-harvey
Copy link

same - log just includes user name (Catalina), policy ran thru all steps according to logs.. waited 30 mins, user is still an admin - does the timer stop if you close the lid?
Your help would be greatly appreciated :)

@pirkla
Copy link

pirkla commented May 4, 2020
edited
Loading

So a couple things

The script the daemon runs unloads the daemon before the script finishes. This causes the script to stop when the unload command is run which means these two lines never run

	rm /Library/LaunchDaemons/removeAdmin.plist
	log collect --last 30m --output /private/var/userToRemove/$userToRemove.logarchive

Which are the lines that remove the daemon and generate the logs. This means the next time the computer restarts the daemon will run again(to no real effect since it has no script it can run, so it's just a tiny bit of bloat) and the logs won't be collected.

The fix is to move launchctl unload /Library/LaunchDaemons/removeAdmin.plist to the bottom and change it to launchctl remove removeAdmin since the file doesn't actually exist anymore to use unload. I'll see about making a pull request or fork for this, it would be good to switch these over to bootstrap and bootout as well.

I'm confused by reports that the logs did show but with no information. Were the logs referred to .archives, or was it just a file titled "user"? The file titled user is just stored to allow the script to read what user should be demoted, the actual log will be username.logarchive.

The script will still work even if the user logs out or the lid is closed. This is because it creates a daemon which will launch itself when the computer restarts, and runs in the background not tied to a user. If the script is run with insufficient privileges I could see an issue there and it would explain why some users then see success after the device restarts since that would start the daemon again with root privileges. If you stream logs when the user should get demoted are there any prompts reporting failure, or does a sysdiagnose show any failures to run the script? That might look like this:

/usr/bin/log stream --debug --predicate 'subsystem == "com.apple.TCC" AND eventMessage BEGINSWITH "AttributionChain"'

Also note it's easy to get a false positive from the ui if a user is an admin or not. You'd have to close system preference entirely and open it again to be sure you're seeing updated info.

@pirkla pirkla mentioned this issue May 4, 2020
Open
@samuel-harvey
Copy link

@pirkla thank you! amazing reply 👍

@jrouthier
Copy link

jrouthier commented Jun 10, 2020
edited
Loading

@pirkla So far everything with the script is working for me, with the exception of the log. The .logarchive file is created, Finder is showing the log is roughly 80MB, but when I open it, nothing there. I have modified the script as you suggested to have the 'launchctl remove' at the end of the script. The following is what the removeAdmin script looks like that is triggered by the LaunchDaemon

cat << 'EOF' > /Library/Application\ Support/JAMF/removeAdminRights.sh if [[ -f /private/var/userToRemove/user ]]; then userToRemove=$(cat /private/var/userToRemove/user) today=date '+%m-%d-%y_%H-%M' echo "Removing $userToRemove's admin privileges" /usr/sbin/dseditgroup -o edit -d $userToRemove -t user admin rm -f /private/var/userToRemove/user rm /Library/LaunchDaemons/removeAdmin.plist log collect --last 5m --output /private/var/userToRemove/${userToRemove}_${today}.logarchive launchctl remove removeAdmin fi EOF

@hachijyuni
Copy link

@jrouthier I used the edited part of script you pasted and it fixed my logging issues. (most of our Macs are on 10.15) Much appreciated!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@myoaungchit @jrouthier @pirkla @hachijyuni @FredrikVirding @samuel-harvey @TC-matthew-wenger