+9Hi all,
We're being asked to remove local admin rights from our users but some users will still require sudo access. How can I remotely add a user to sudoers? I've tried running this command with a policy/casper remote/ARD but it's not working:
echo 'username ALL=(ALL:ALL) ALL' >> /etc/sudoersThe command executes successfully but when I check the sudoers file nothing has changed.
Best answer by catfeetstop
Thanks for all the replies everyone. I was trying to add them to sudoers, not admin group. I think I'll just ssh into their boxes and manually do visudo, it shouldn't be too many people. Thanks again!
+16The sudoers file is only supposed to be modified with visudo, which is designed specifically for modifying it and retain all the correct permissions and formatting, etc. I'm not sure there's any valid way to edit it with a script. I never touch ours since its not necessary for us. But maybe someone here has figured out a way to modify it in some automated fashion.
+12I was just able to do the following on a 10.10.1 Mac and it worked without a problem:
echo "my_username ALL=(ALL) ALL" >> /etc/sudoersSome caveats: You need to run that command as root and there needs to be a tab between "my_username" and the first "ALL." You should probably test it with visudo first to make sure your syntax is correct.
+10I've had better luck using "dseditgroup" in use cases like this.
Charles Edge has a nice write up here - http://krypted.com/mac-security/more-group-management-with-dseditgroup/
+9Thanks for all the replies everyone. I was trying to add them to sudoers, not admin group. I think I'll just ssh into their boxes and manually do visudo, it shouldn't be too many people. Thanks again!
+31Hey Everyone,
Just wanted to chime in here. @mm2270 brings up a great point about /etc/sudoers, and that technically it should be edited by visudo. The dscl command to append group membership will work, but it has caveats. When you append, you simply add data to something. There are no logic checks to check for duplicate records, or if you mistyped a name, or if that user record even exists. The dseditgroup binary does those logic checks, it is the safer way to edit group membership locally on a OS X box.
By default in the /etc/sudoers in OS X, all users in the admin group already have sudo access, via this line in the config file:
%admin ALL=(ALL) ALLIf you want to script this you should probably create a back up of the /etc/sudoers file, modify it and then use visudo to verify the syntax and contents. You can check by doing this:
$ sudo visudo -c
/etc/sudoers: parsed OKSince we are testing a back up we need to point it to the right file:
$ sudo visudo -c -f /etc/sudoers.bak
/etc/sudoers.bak: parsed OKI simply created a new file called sudoers.bak and then made sure it was okay. We can test for the exit code or status returned from output. There are probably tons of ways to even make this a decent scripting solution. However, I would not recommend editing the actual file. Edit a copy of it, make sure it works, then swap them.
+4Can anyone give me an example of a situation where a user would need to be a sudoer and not an admin? Just curious?
+9Thanks @tlarkin! @ElliottSeven, it's definitely a strange request. I'm mostly doing it because management told me to. I think that's how we have it setup for our Linux users too. I guess it'll give them less power through the GUI so it's harder to muck stuff up that way? I'm not totally sure. Ha!
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
