- Jamf Nation Community
- Products
- Jamf Pro
- Re: Letting non-admins run specific terminal comma...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-15-2016 10:51 AM
None of our users are admins of their computers; however, some do have legitimate needs to run some terminal commands like tcpdump and a few others that can only be run as root. Is there a way to allow specific users to do that with whatever switches and paths they need to? Some of the commands need to be interactive so I can't just setup a single command in Self Service and run that as root.
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-16-2016 05:39 AM
We allow non-admin users to use certain commands with sudo. All you have to do is edit their sudoers file using the visudo command. You'll need to understand a little about the vi text editor. In your case, you'll want to add something like this to their sudoers file:
username ALL=/usr/sbin/tcpdumpThe sudoers file requires special syntax that you should be careful about. Notice that after the username I actually hit the TAB key. TAB after the username is a sudoers file requirement. In the JSS, I have an extension attribute that shows me who has what set in their sudoers file.
Google something like "sudo allow only certain commands" for more info.
Reply
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-15-2016 12:46 PM
So in theory you could write a GUI interface that collect the data they need and they use a Self Service script to run the jamf runscript command. Here's how to use it:
Usage: jamf runScript -script <file name> -path <path to script> [-computerName <computerName>] [-target <target volume>] [-username <username>] [-p1 <parameter 1>] [-p2 <parameter 2>] [-p3 <parameter 3>] [-p4 <parameter 4>] [-p5 <parameter 5>] [-p6 <parameter 6>] [-p7 <parameter 7>] [-p8 <parameter 8>]
I'm sure there is probably a better way. But what i'm thinking is writing either a terminal app or a xcode app to collect the data. Then the data gets dumpted to a local text file. User runs self service and it looks at the text file and runs the script with the parameters. That's just off the top of my head.
But with great power comes great responsibilty. It theory there is room for abuse with this method. So maybe collect all the possible scenarios they might need and write a script to conform to as many as possible to run from self service.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-15-2016 01:11 PM
Would Developer Mode suffice?
Developer Mode enables a limited permissions mode in OSX to execute certain actions & processes w/o needing admin intervention.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-15-2016 02:02 PM
I used to allow users to use sudo with specific commands only. Haven't tried it in 10.11 but it used to be an edit of the sudoers file.
So you would edit the file to allow sudo (for example) just for tcpdump.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-15-2016 02:27 PM
@mdonovan Where is that quote from? I've been idly looking for documentation on developer mode.
Thanks!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-16-2016 04:25 AM
I've added the appropriate users to the _Developer group via this command:
usr/sbin/dseditgroup -o edit -a everyone -t group _developer ; DevToolsSecurity -enablebut they still can't run privileged commands. Editing the sudoers file sounds like it might be a step in the right direction. I'll look into that.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-16-2016 05:39 AM
We allow non-admin users to use certain commands with sudo. All you have to do is edit their sudoers file using the visudo command. You'll need to understand a little about the vi text editor. In your case, you'll want to add something like this to their sudoers file:
username ALL=/usr/sbin/tcpdumpThe sudoers file requires special syntax that you should be careful about. Notice that after the username I actually hit the TAB key. TAB after the username is a sudoers file requirement. In the JSS, I have an extension attribute that shows me who has what set in their sudoers file.
Google something like "sudo allow only certain commands" for more info.
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-16-2016 08:57 AM
@AVmcclint @catfeetstop is correct, how ever if you have a large number of machines. a good way would be to use /etc/sudoers.d. if you look at the sudoers file, it is included at the end of the file:
" #includedir /private/etc/sudoers.d "
so if you create the /private/etc/sudoers.d directory
and add a file called tcpdump with the contents from above
That would also do the job, without touching the etc/sudoers file, in case you needed to delegate or if you wanted to script or automate
Larry
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-25-2020 10:45 AM
@AVmcclint which privileged commands users can't run, who are added in _Developer group?
