adding users to sudoers remotely

catfeetstop
Contributor II

Hi all,

We're being asked to remove local admin rights from our users but some users will still require sudo access. How can I remotely add a user to sudoers? I've tried running this command with a policy/casper remote/ARD but it's not working:

echo 'username ALL=(ALL:ALL) ALL' >> /etc/sudoers

The command executes successfully but when I check the sudoers file nothing has changed.

1 ACCEPTED SOLUTION

catfeetstop
Contributor II

Thanks for all the replies everyone. I was trying to add them to sudoers, not admin group. I think I'll just ssh into their boxes and manually do visudo, it shouldn't be too many people. Thanks again!

View solution in original post

8 REPLIES 8

mm2270
Legendary Contributor III

The sudoers file is only supposed to be modified with visudo, which is designed specifically for modifying it and retain all the correct permissions and formatting, etc. I'm not sure there's any valid way to edit it with a script. I never touch ours since its not necessary for us. But maybe someone here has figured out a way to modify it in some automated fashion.

jescala
Contributor II

I was just able to do the following on a 10.10.1 Mac and it worked without a problem:

echo "my_username     ALL=(ALL) ALL" >> /etc/sudoers

Some caveats: You need to run that command as root and there needs to be a tab between "my_username" and the first "ALL." You should probably test it with visudo first to make sure your syntax is correct.

ooshnoo
Valued Contributor

We use this command: ```
dscl . -append /Groups/admin GroupMembership username
```

jcompton
Contributor

I've had better luck using "dseditgroup" in use cases like this.

Charles Edge has a nice write up here - http://krypted.com/mac-security/more-group-management-with-dseditgroup/

catfeetstop
Contributor II

Thanks for all the replies everyone. I was trying to add them to sudoers, not admin group. I think I'll just ssh into their boxes and manually do visudo, it shouldn't be too many people. Thanks again!

tlarkin
Honored Contributor

Hey Everyone,

Just wanted to chime in here. @mm2270 brings up a great point about /etc/sudoers, and that technically it should be edited by visudo. The dscl command to append group membership will work, but it has caveats. When you append, you simply add data to something. There are no logic checks to check for duplicate records, or if you mistyped a name, or if that user record even exists. The dseditgroup binary does those logic checks, it is the safer way to edit group membership locally on a OS X box.

By default in the /etc/sudoers in OS X, all users in the admin group already have sudo access, via this line in the config file:

%admin  ALL=(ALL) ALL

If you want to script this you should probably create a back up of the /etc/sudoers file, modify it and then use visudo to verify the syntax and contents. You can check by doing this:

$ sudo visudo -c 
/etc/sudoers: parsed OK

Since we are testing a back up we need to point it to the right file:

$ sudo visudo -c -f /etc/sudoers.bak 
/etc/sudoers.bak: parsed OK

I simply created a new file called sudoers.bak and then made sure it was okay. We can test for the exit code or status returned from output. There are probably tons of ways to even make this a decent scripting solution. However, I would not recommend editing the actual file. Edit a copy of it, make sure it works, then swap them.

ElliottSeven
New Contributor II

Can anyone give me an example of a situation where a user would need to be a sudoer and not an admin? Just curious?

catfeetstop
Contributor II

Thanks @tlarkin! @ElliottSeven, it's definitely a strange request. I'm mostly doing it because management told me to. I think that's how we have it setup for our Linux users too. I guess it'll give them less power through the GUI so it's harder to muck stuff up that way? I'm not totally sure. Ha!