Tiny Deathstars of Foulness

macOS 10.13 brings changes to sysadminctl. You know those dscl scripts we used to use to create users? No longer supposed to be necessary (luckily they do still work). Now you can create a user with a one-liner, and do other forms of user management, such as enabling FileVault for a given user, or managing the guest accounts. However, you can’t do these tasks as root or via sudo. You have to do so with other admin accounts per Apple kbase HT208171 (in fact, this article has been in my queue waiting for that issue to be fixed – but keep in mind I’m not prefacing these with sudo in the below commands). In the below command, we’ll pass the -addUser option and then use -fullName to fill in the displayed name of the user, -password to send a password to the account and -hint so we can get a password hint into that attribute:

sysadminctl -addUser krypted2 -fullName "Charles Edge" -password testinguser -hint hi

The result would be as follows:

No clear text password or interactive option was specified (adduser, change/reset password will not allow user to use FDE) !
Creating user record…
Assigning UID: 503
Creating home directory at /Users/krypted2

Notice that in the above, the system automatically selected a home directory and UID. We could have passed those as well, using Now let’s use dscl to view the user we just created:

dscl . -read /Users/krypted2

Here’s a snippet of the dscl output:

NFSHomeDirectory: /Users/krypted2
Password: ********
Picture: /Library/User Pictures/Fun/Ying-Yang.png
PrimaryGroupID: 20
RealName: Charles Edge
RecordName: krypted2
RecordType: dsRecTypeStandard:Users
UniqueID: 503
UserShell: /bin/bash

Notice that the above is not the whole record you’d typically find with dscl. But if it were, you would not have the AuthenticationAuthority attribute. To see if it can unlock FileVault we can use the -secureTokenStatus operator built into sysadminctl. Simply pass the RecordName and you’ll get an indication if it’s on or off:

sysadminctl -secureTokenStatus krypted2

The response should be as follows:

Secure token is ENABLED for user Charles Edge

To just get the ENABLED response we’ll just use awk to grab that position (also note that we have to redirect stderr to stdout):

sysadminctl -secureTokenStatus charles.edge 2>&1 | awk '{print$7}'

We could append the AuthenticationAuthority attribute with dscl, as we would need a SecureToken. To get a SecureToken, we’ll use the -secureTokenOn verb:

sysadminctl -secureTokenOn krypted mysupersecretpassword

To disable, we’ll use -secureTokenOff

sysadminctl -secureTokenOff krypted mysupersecretpassword

Given that we like to rotate management passwords, we can do so using-resetPasswordFor which takes a username and a password as -newPassword and -passwordHint respectively:

sysadminctl -resetPasswordFor krypted -newPassword newsupersecretpassword -passwordHint "That was then this is now"

Note: In the above, we quoted the hint, which is supplied using the -passwordHint option. If it was one word we wouldn’t have needed to do so. 

Next, let’s check guest access. You can have guest enabled for logging in, afp, or smb. To check if guest is enabled for one of these use the -guestAccount, -afpGuestAccess, or -smbGuestAccess options. Each has an on, off, and status verb that can be used to manage that account type. So for example, if you wanted to check the status of the guest account, you could use -guestAccount as follows (also note that we have to redirect stderr to stdout):

sysadminctl -guestAccount status 2>&1 | awk '{print$5}'

To then disable if it isn’t already disabled:

sysadminctl -guestAccount Off

You can also use sysadminctl to do a quick check of the encryption state of the boot volume using the -filesystem option (although there’s no on and off verb for this option just yet):

bash-3.2# sysadminctl -filesystem status

2017-12-07 10:37:26.401 sysadminctl[8534:466661] Boot volume CS FDE: NO

2017-12-07 10:37:26.434 sysadminctl[8534:466661] Boot volume APFS FDE: YES

The help page is as follows:

Usage: sysadminctl [[interactive] || [-adminUser -adminPassword ]] -deleteUser [-secure || -keepHome] -newPassword -oldPassword [-passwordHint ] -resetPasswordFor -newPassword [-passwordHint ] -addUser [-fullName ] [-UID ] [-shell ] [-password ] [-hint ] [-home ] [-admin] [-picture ] -secureTokenStatus -secureTokenOn -password -secureTokenOff -password -guestAccount -afpGuestAccess -smbGuestAccess -automaticTime -filesystem status Pass '-' instead of password in commands above to request prompt.

Why should you switch to sysadminctl for scripts? Entitlements and I’m sure this is how mdmclient will pass management commands in the future… Why should you not? You can’t run most of it as root…

December 7th, 2017

Posted In: Mac OS X, Mac Security, Mass Deployment

Tags: , , ,

Leave a Comment