#!/bin/sh # # BEWARE: This script is dangerous and rather untested. It is # provided to provoke thought. NAME=$USER usage="Usage: USER=user-to-lose-sudo-powers-here $0" dry_run=false run= error() { echo -e "$@" >&2 exit 1 } fail() { error "$@ failed" exit 1 } [ "$1" = "-n" ] && dry_run=true $dry_run && run=echo [ -z "$NAME" ] && error $usage [ root = "$NAME" ] && error "root can not lose sudo powers $usage" id $NAME >/dev/null || error "$NAME is not a user\n$usage" [ -d /etc/sudoers.d ] || error "/etc/sudoers.d does not exist" dest=/etc/sudoers.d/abmindicate.sudo.$NAME $dry_run && dest=/tmp/abmindicate.sudo.$NAME mark="abmindicate $NAME" crontab=/tmp/abmindicate.root_crontab.$NAME [ -e $dest ] && error "$dest already exists" sudo true || fail sudo true $0 umask 0077 sudo crontab -l | grep -v "$mark" >$crontab || fail crontab -l sudo sh -c "umask 0277; echo '$NAME ALL=(ALL) ALL' >$dest" || fail sudo sh # Crontab entries start with 5 space-delimited fields that describe # the date and time to run a task. In brief, they are # # MINUTE HOUR MONTH_DAY MONTH WEEK_DAY # # Examples: # # 00 11 * * Sat /usr/bin/echo It is 11:00am on Saturday! # 00 12 * * Sat /usr/bin/echo It is 12:00pm on Saturday! # 15 10 1 * * /usr/bin/echo It is 10:15am on the first of the month! # 30 20 1 3 * /usr/bin/echo It is 20:30 (8:30pm) on March 1st (3/1)! # # Full details of the format are at https://linux.die.net/man/5/crontab . # # EDIT THE SCHEDULE BELOW echo "# gain sudo powers on Saturdays at 11:00 # $mark" >>$crontab echo "00 11 * * Sat /usr/bin/perl -i -pe s/^/#/g $dest # $mark" >>$crontab echo "# lose sudo powers on Saturdays at 12:00 # $mark" >>$crontab echo "00 12 * * Sat /usr/bin/perl -i -pe s/^#+//g $dest # $mark" >>$crontab $dry_run && sudo grep . $dest $crontab $run sudo crontab $crontab || fail sudo crontab $run sudo rm $crontab cannot_sudo=true groups="" for group in `groups $NAME`; do case $group in admin|root|sudo|wheel) cannot_sudo=false; continue;; esac groups="$groups,$group" done $cannot_sudo || $run sudo /usr/sbin/usermod -G ${groups#,} $NAME echo "** SUCCESS **"