зеркало из https://github.com/mozilla/dinobuildr.git
155 строки
5.9 KiB
Bash
155 строки
5.9 KiB
Bash
|
#!/bin/bash
|
||
|
|
||
|
# This Source Code Form is subject to the terms of the Mozilla Public
|
||
|
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||
|
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||
|
|
||
|
# Determine logged in user through the "usual apple way"
|
||
|
|
||
|
loggedInUser=$(python -c '
|
||
|
from SystemConfiguration import SCDynamicStoreCopyConsoleUser;
|
||
|
import sys;
|
||
|
username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0];
|
||
|
username = [username,""][username in [u"loginwindow", None, u""]];
|
||
|
sys.stdout.write(username + "\n");')
|
||
|
|
||
|
# Enable FileVault 2 using the defer option, this will attempt to turn on
|
||
|
# FileVault 2 at the next login/logout and prompt the user for the account
|
||
|
# password that executed this command, then drops the recovery key in a plist
|
||
|
# owned by roo at the location we specify.
|
||
|
#
|
||
|
# We use this method because all other methods of programmatically enabling FV2
|
||
|
# require the user password to be passed to fdesetup and we don't want to
|
||
|
# encourage people to type their account passwords into random dialog boxes.
|
||
|
|
||
|
fdesetup enable -defer /Users/"${loggedInUser}"/Library/fvkey.plist
|
||
|
|
||
|
# Generate a LaunchDaemon via heredoc that will execute the chownfvkey.sh that
|
||
|
# we will write later in this script.
|
||
|
|
||
|
cat > /Library/LaunchDaemons/com.mozilla-it.chownfvkey.plist<<-"EOF"
|
||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||
|
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
||
|
<plist version="1.0">
|
||
|
<dict>
|
||
|
<key>Label</key>
|
||
|
<string>com.mozilla-it.chownfvkey</string>
|
||
|
<key>ProgramArguments</key>
|
||
|
<array>
|
||
|
<string>/bin/bash</string>
|
||
|
<string>/usr/local/bin/chownfvkey.sh</string>
|
||
|
</array>
|
||
|
<key>RunAtLoad</key>
|
||
|
<true/>
|
||
|
</dict>
|
||
|
</plist>
|
||
|
EOF
|
||
|
|
||
|
# Create /usr/local/bin if it doesn't exist so we can throw scripts in it.
|
||
|
|
||
|
if [ ! -d /usr/local/bin ]; then
|
||
|
mkdir /usr/local/bin
|
||
|
chown "$loggedInUser" /usr/local/bin
|
||
|
fi
|
||
|
|
||
|
# Generate a script that will take ownership of a file called fvkey.plist. This
|
||
|
# file is normally owned by root, and is an artifact of the FileVault 2 deffered
|
||
|
# enrollment procedure, which we use because we don't want to capture account
|
||
|
# passwords via any "non official" method (even though the way Apple does it
|
||
|
# looks a little sketchy to me still, personally).
|
||
|
|
||
|
# First we wait until the fvkey.plist file exists, which it should already.
|
||
|
# Then we take ownership of the file as the user and clean up the script
|
||
|
# artifacts and the LaunchDaemon.
|
||
|
|
||
|
cat > /usr/local/bin/chownfvkey.sh <<-EOF
|
||
|
#!/bin/bash
|
||
|
|
||
|
while [ ! -f /Users/"${loggedInUser}"/Library/fvkey.plist ]; do
|
||
|
sleep 2
|
||
|
done
|
||
|
|
||
|
chown "$loggedInUser" /Users/"${loggedInUser}"/Library/fvkey.plist
|
||
|
|
||
|
rm /usr/local/bin/chownfvkey.sh
|
||
|
rm /Library/LaunchDaemons/com.mozilla-it.chownfvkey.plist
|
||
|
launchctl remove com.mozilla-it.chownfvkey
|
||
|
EOF
|
||
|
|
||
|
# If the user's LaunchAgents directory doesn't exist, create it so we can drop a
|
||
|
# LaunchAgent.
|
||
|
|
||
|
if [ ! -d /Users/"${loggedInUser}"/Library/LaunchAgents ]; then
|
||
|
mkdir /Users/"${loggedInUser}"/Library/LaunchAgents
|
||
|
chown "$loggedInUser" /Users/"${loggedInUser}"/Library/LaunchAgents
|
||
|
fi
|
||
|
|
||
|
# Generate a LaunchAgent via heredoc that will execute the fv-keyprompt.sh
|
||
|
# script that we will write later on in this script.
|
||
|
|
||
|
cat > /Users/"${loggedInUser}"/Library/LaunchAgents/com.mozilla-it.fv-keyprompt.plist <<-"EOF"
|
||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||
|
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
||
|
<plist version="1.0">
|
||
|
<dict>
|
||
|
<key>Label</key>
|
||
|
<string>com.mozilla-it.fv-keyprompt</string>
|
||
|
<key>ProgramArguments</key>
|
||
|
<array>
|
||
|
<string>/bin/bash</string>
|
||
|
<string>/usr/local/bin/fv-keyprompt.sh</string>
|
||
|
</array>
|
||
|
<key>RunAtLoad</key>
|
||
|
<true/>
|
||
|
</dict>
|
||
|
</plist>
|
||
|
EOF
|
||
|
|
||
|
# Generate the FileVault 2 prompt script via a heredoc that the LaunchAgent will
|
||
|
# fire off.
|
||
|
|
||
|
# First, determine the logged in user through the usual "apple way"
|
||
|
# Then, wait until we can act on the fvkey.plist file. The file is normally
|
||
|
# owned by root, but a LaunchDaemon we create will fix that.
|
||
|
# Use PlistBuddy to read the recovery key to the file, then pass that key to a
|
||
|
# simple Applescript prompt via yet another heredoc.
|
||
|
# When finished, clean up the script artifacts, the key file and the LaunchAgent
|
||
|
|
||
|
# Note: I'm not good enough at bash to know the best way to just pass the user
|
||
|
# in to this heredoc from the main script, because we're using a command
|
||
|
# subsitution and if I don't specify a literal interpretation of the heredoc,
|
||
|
# the script attempts to run the command substitution. This is something that
|
||
|
# should probably be fixed later by either avo iding the subsitution or learning
|
||
|
# more about heredocs.
|
||
|
|
||
|
cat > /usr/local/bin/fv-keyprompt.sh <<-"EOF"
|
||
|
#!/bin/bash
|
||
|
|
||
|
export loggedInUser=`python -c '
|
||
|
from SystemConfiguration import SCDynamicStoreCopyConsoleUser;
|
||
|
import sys;
|
||
|
username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0];
|
||
|
username = [username,""][username in [u"loginwindow", None, u""]];
|
||
|
sys.stdout.write(username + "\n");'`
|
||
|
|
||
|
while [ ! -O /Users/${loggedInUser}/Library/fvkey.plist ]; do
|
||
|
sleep 2
|
||
|
done
|
||
|
|
||
|
recovery_key=$(/usr/libexec/PlistBuddy -c "Print :RecoveryKey" /Users/"${loggedInUser}"/Library/fvkey.plist)
|
||
|
osascript <<-EOF2
|
||
|
display dialog "FileVault has been activated on this machine.\n\nYour FileVault recovery key is:\n\n${recovery_key}\n\nPlease escrow this key in WDE by browsing to:\nhttps://wde.mozilla.org/" buttons {"Continue"} default button 1 with title "FileVault Recovery Key"
|
||
|
return
|
||
|
EOF2
|
||
|
|
||
|
rm /Users/${loggedInUser}/Library/fvkey.plist
|
||
|
rm /usr/local/bin/fv-keyprompt.sh
|
||
|
rm /Users/${loggedInUser}/Library/LaunchAgents/com.mozilla-it.fv-keyprompt.plist
|
||
|
launchctl remove com.mozilla-it.fv-keyprompt
|
||
|
EOF
|
||
|
|
||
|
# Make the scripts we drop with the above heredocs executable for good measure.
|
||
|
|
||
|
chmod +x /usr/local/bin/fv-keyprompt.sh
|
||
|
chmod +x /usr/local/bin/chownfvkey.sh
|