None of our users are admins of their computers; however, some do have legitimate needs to run some terminal commands like tcpdump and a few others that can only be run as root. Is there a way to allow specific users to do that with whatever switches and paths they need to? Some of the commands need to be interactive so I can't just setup a single command in Self Service and run that as root.
Solved
Letting non-admins run specific terminal commands with elevated rights?
+21Best answer by catfeetstop
We allow non-admin users to use certain commands with sudo. All you have to do is edit their sudoers file using the visudo command. You'll need to understand a little about the vi text editor. In your case, you'll want to add something like this to their sudoers file:
username ALL=/usr/sbin/tcpdumpThe sudoers file requires special syntax that you should be careful about. Notice that after the username I actually hit the TAB key. TAB after the username is a sudoers file requirement. In the JSS, I have an extension attribute that shows me who has what set in their sudoers file.
Google something like "sudo allow only certain commands" for more info.
+16So in theory you could write a GUI interface that collect the data they need and they use a Self Service script to run the jamf runscript command. Here's how to use it:
Usage: jamf runScript -script <file name> -path <path to script> [-computerName <computerName>] [-target <target volume>] [-username <username>] [-p1 <parameter 1>] [-p2 <parameter 2>] [-p3 <parameter 3>] [-p4 <parameter 4>] [-p5 <parameter 5>] [-p6 <parameter 6>] [-p7 <parameter 7>] [-p8 <parameter 8>]
I'm sure there is probably a better way. But what i'm thinking is writing either a terminal app or a xcode app to collect the data. Then the data gets dumpted to a local text file. User runs self service and it looks at the text file and runs the script with the parameters. That's just off the top of my head.
But with great power comes great responsibilty. It theory there is room for abuse with this method. So maybe collect all the possible scenarios they might need and write a script to conform to as many as possible to run from self service.
+5Would Developer Mode suffice?
Developer Mode enables a limited permissions mode in OSX to execute certain actions & processes w/o needing admin intervention.
+18I used to allow users to use sudo with specific commands only. Haven't tried it in 10.11 but it used to be an edit of the sudoers file.
So you would edit the file to allow sudo (for example) just for tcpdump.
+23@mdonovan Where is that quote from? I've been idly looking for documentation on developer mode.
Thanks!
+21I've added the appropriate users to the _Developer group via this command:
usr/sbin/dseditgroup -o edit -a everyone -t group _developer ; DevToolsSecurity -enablebut they still can't run privileged commands. Editing the sudoers file sounds like it might be a step in the right direction. I'll look into that.
+9We allow non-admin users to use certain commands with sudo. All you have to do is edit their sudoers file using the visudo command. You'll need to understand a little about the vi text editor. In your case, you'll want to add something like this to their sudoers file:
username ALL=/usr/sbin/tcpdumpThe sudoers file requires special syntax that you should be careful about. Notice that after the username I actually hit the TAB key. TAB after the username is a sudoers file requirement. In the JSS, I have an extension attribute that shows me who has what set in their sudoers file.
Google something like "sudo allow only certain commands" for more info.
+13@AVmcclint @catfeetstop is correct, how ever if you have a large number of machines. a good way would be to use /etc/sudoers.d. if you look at the sudoers file, it is included at the end of the file:
" #includedir /private/etc/sudoers.d "
so if you create the /private/etc/sudoers.d directory
and add a file called tcpdump with the contents from above
That would also do the job, without touching the etc/sudoers file, in case you needed to delegate or if you wanted to script or automate
Larry
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.