Home > Bash scripting, Mac administration, Mac OS X > Checking for accounts with Remote Management rights

Checking for accounts with Remote Management rights

Something a number of Mac admins need to know about the Macs in their environment is being able to detect which accounts have remote management rights on a particular Mac. Crafty users can be inventive about finding ways to grant themselves remote management rights, so admins need to be just as perceptive about identifying which accounts have remote management rights.

To help with the task of identifying which accounts have remote management rights, I’ve written a script to detect which local accounts had remote rights on a particular Mac.


#!/bin/sh

# Determines if the Remote Management settings are set
# for "All Users" or for "Only these users:" in System
# Preferences' Sharing preference pane

ARD_ALL_LOCAL=`/usr/bin/defaults read /Library/Preferences/com.apple.RemoteManagement ARD_AllLocalUsers`

# Lists all local user accounts on the Mac with a UID 
# of greater or equal to 500 and less than 1024. This 
# should exclude all system accounts and network accounts
# 
# List is displayed if the "All Users" setting is 
# set in the Remote Management settings.

ALL_ID500_PLUS_LOCAL_USERS=`/usr/bin/dscl . list /Users UniqueID | awk '$2 >= 500 && $2 < 1024 { print $1; }'`

# Lists all user accounts on the Mac that have been given
# explicit Remote Management rights. List is displayed if 
# the "Only these users:" setting is set in the Remote 
# Management settings.

REMOTE_MANAGEMENT_ENABLED_USERS=`/usr/bin/dscl . list /Users naprivs | awk '{print $1}'`


if [ "$ARD_ALL_LOCAL" = "1" ]; then
        result=$ALL_ID500_PLUS_LOCAL_USERS
elif [ "$ARD_ALL_LOCAL" = "0" ]; then
        result=$REMOTE_MANAGEMENT_ENABLED_USERS
fi

# Displays list of accounts that have 
# been given Remote Management rights

echo $result

I’ve posted the script here on my GitHub repo:
https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/check_for_remote_management_accounts

I’ve also modified it for use as an Casper Extension attribute. I’ve posted it here on my GitHub repo:
https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/Casper_Extension_Attributes/check_for_remote_management_accounts

  1. Patrick Fergus
    March 9, 2013 at 6:20 pm | #1

    Two thoughts:

    - Has anyone divined how to go from the naprivs mask number back to specific rights?

    - Could the script be extended to check (network and local) users’ membership in the local ARD groups (com.apple. local.ard_admin, com.apple.local.ard_interact, com.apple.local.ard_manage, com.apple.local.ard_reports)?

  2. Patrick Fergus
    March 9, 2013 at 7:47 pm | #2

    Here’s what I’ve determined so far–hopefully this is clear (I’m skipping all the discussion of binary numbers).

    naprivs starts with -2^31 and adds the following integers:

    Show When Being Observed, 1073741824
    Observe, 258
    Restart or Shut Down, 128
    Change Settings, 64
    Open and Quit Applications, 32
    Generate Reports, 16
    Delete or Replace Items, 8
    Copy Items, 4
    (Observe +) Control, 2
    Start Text Chat or Send Messages, 1

    The bizarre one is that Control is 2, while Observe is 258 (256+2).

  3. Patrick Fergus
    March 9, 2013 at 9:59 pm | #3

    #!/bin/bash

    #User we’re testing against
    theUser=testuser

    #Decimal value of no ARD privileges
    noPrivs=-2147483648

    #Extract out decimal naprivs value
    naprivs=`/usr/bin/dscl . read /Users/$theUser naprivs | awk ‘{print $2}’`

    #Figure out the decimal representation of the user rights
    userRightsDecimal=`expr $naprivs – $noPrivs`

    #Convert the decimal rights to binary
    userRightsBinary=`echo “obase=2;$userRightsDecimal” | bc`

    #Pad out the userRightsBinary so it can be properly processed by awk’s substr
    while [ ${#userRightsBinary} -lt 31 ]; do
    userRightsBinary=0${userRightsBinary}
    done

    echo Apple Remote Desktop rights for $theUser

    #Each comment below indicates the position of the right in userRightsBinary
    #Values are being checked whether they equal 1 unless otherwise noted

    #Observe=1
    if [ `echo $userRightsBinary | awk '{print substr($0,length-1,1)}'` = 1 ] ; then
    echo “Observe”

    #The following two rights are only applicable if Observe is enabled
    #Control=8, note that in this case the tested digit needs to equal 0
    if [ `echo $userRightsBinary | awk '{print substr($0,length-8,1)}'` = 0 ]; then
    echo ” Control”
    fi

    #Show When Being Observed=30
    if [ `echo $userRightsBinary | awk '{print substr($0,length-30,1)}'` = 1 ]; then
    echo ” Show When Being Observed”
    fi
    fi

    #Generate Reports=4
    if [ `echo $userRightsBinary | awk '{print substr($0,length-4,1)}'` = 1 ]; then
    echo “Generate Reports”
    fi

    #Open and Quit Applications=5
    if [ `echo $userRightsBinary | awk '{print substr($0,length-5,1)}'` = 1 ]; then
    echo “Open and Quit Applications”
    fi

    #Change Settings=6
    if [ `echo $userRightsBinary | awk '{print substr($0,length-6,1)}'` = 1 ]; then
    echo “Change Settings”
    fi

    #Delete or Replace Items=3
    if [ `echo $userRightsBinary | awk '{print substr($0,length-3,1)}'` = 1 ]; then
    echo “Delete or Replace Items”
    fi

    #Start Text Chat or Send Messages=0
    if [ `echo $userRightsBinary | awk '{print substr($0,length-0,1)}'` = 1 ]; then
    echo “Start Text Chat or Send Messages”
    fi

    #Restart or Shut Down=7
    if [ `echo $userRightsBinary | awk '{print substr($0,length-7,1)}'` = 1 ]; then
    echo “Restart or Shut Down”
    fi

    #Copy Items=2
    if [ `echo $userRightsBinary | awk '{print substr($0,length-2,1)}'` = 1 ]; then
    echo “Copy Items”
    fi

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 126 other followers

%d bloggers like this: