Use membership of "admin" group, rather than writing to /tmp

[graham-m-dunn]

Writing to known locations in your filesystem can be a security problem

[tbridge]

Hi Graham,

Thanks for the PR!

Can you walk me through what the new isadmin function does? I just want to make sure I understand it before I merge it in.

[graham-m-dunn]

So, if I understand what you're trying to do by writing the output of whoami to a file, which is that if you're an admin user (IE, in the admin group), the output is root. The id command outputs a numeric list of the groups the current user belongs to, and we look for 80, which is the groupid for admin. Though now that I write this, I realize that id command is "recent", so reject this PR, I need to make it work with older versions of OS X 😒 Thanks, Graham

…

On Thu, Feb 23, 2017, 6:49 PM Tom Bridge ***@***.***> wrote: Hi Graham, Thanks for the PR! Can you walk me through what the new isadmin function does? I just want to make sure I understand it before I merge it in. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#22 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AJF3ynSErRTnTAVbQmy2oI7BjnEs1VNdks5rfhslgaJpZM4MKpmg> .

[graham-m-dunn]

Test code for isadmin()

#!/bin/bash

LOGGER=$(which echo)

isadmin() {
    if [[ -e /usr/bin/id ]]; then
        echo "using id"
        id -G $1 | grep -q -w 80 ;
    else
        echo "using groups"
        groups $1 | grep -q -w admin ;
    fi
}

if isadmin $(whoami) ; then
         ${LOGGER} "Privilege Escalation Allowed, Please Continue."
else
         ${LOGGER} "Privilege Escalation Denied, User Cannot Sudo."
         exit 6
fi

echo "you're root"