Letting non-admins run specific terminal commands with elevated rights?

AVmcclint
Valued Contributor III

None of our users are admins of their computers; however, some do have legitimate needs to run some terminal commands like tcpdump and a few others that can only be run as root. Is there a way to allow specific users to do that with whatever switches and paths they need to? Some of the commands need to be interactive so I can't just setup a single command in Self Service and run that as root.

1 ACCEPTED SOLUTION

catfeetstop
Contributor II

We allow non-admin users to use certain commands with sudo. All you have to do is edit their sudoers file using the visudo command. You'll need to understand a little about the vi text editor. In your case, you'll want to add something like this to their sudoers file:

username    ALL=/usr/sbin/tcpdump

The sudoers file requires special syntax that you should be careful about. Notice that after the username I actually hit the TAB key. TAB after the username is a sudoers file requirement. In the JSS, I have an extension attribute that shows me who has what set in their sudoers file.

Google something like "sudo allow only certain commands" for more info.

View solution in original post

8 REPLIES 8

roiegat
Contributor II

So in theory you could write a GUI interface that collect the data they need and they use a Self Service script to run the jamf runscript command. Here's how to use it:

Usage: jamf runScript -script <file name> -path <path to script> [-computerName <computerName>] [-target <target volume>] [-username <username>] [-p1 <parameter 1>] [-p2 <parameter 2>] [-p3 <parameter 3>] [-p4 <parameter 4>] [-p5 <parameter 5>] [-p6 <parameter 6>] [-p7 <parameter 7>] [-p8 <parameter 8>]

I'm sure there is probably a better way. But what i'm thinking is writing either a terminal app or a xcode app to collect the data. Then the data gets dumpted to a local text file. User runs self service and it looks at the text file and runs the script with the parameters. That's just off the top of my head.

But with great power comes great responsibilty. It theory there is room for abuse with this method. So maybe collect all the possible scenarios they might need and write a script to conform to as many as possible to run from self service.

mdonovan
New Contributor III

Would Developer Mode suffice?


Developer Mode enables a limited permissions mode in OSX to execute certain actions & processes w/o needing admin intervention.

davidacland
Honored Contributor II
Honored Contributor II

I used to allow users to use sudo with specific commands only. Haven't tried it in 10.11 but it used to be an edit of the sudoers file.

So you would edit the file to allow sudo (for example) just for tcpdump.

milesleacy
Valued Contributor

@mdonovan Where is that quote from? I've been idly looking for documentation on developer mode.
Thanks!

AVmcclint
Valued Contributor III

I've added the appropriate users to the _Developer group via this command:

usr/sbin/dseditgroup -o edit -a everyone -t group _developer ; DevToolsSecurity -enable

but they still can't run privileged commands. Editing the sudoers file sounds like it might be a step in the right direction. I'll look into that.

catfeetstop
Contributor II

We allow non-admin users to use certain commands with sudo. All you have to do is edit their sudoers file using the visudo command. You'll need to understand a little about the vi text editor. In your case, you'll want to add something like this to their sudoers file:

username    ALL=/usr/sbin/tcpdump

The sudoers file requires special syntax that you should be careful about. Notice that after the username I actually hit the TAB key. TAB after the username is a sudoers file requirement. In the JSS, I have an extension attribute that shows me who has what set in their sudoers file.

Google something like "sudo allow only certain commands" for more info.

Nix4Life
Valued Contributor

@AVmcclint @catfeetstop is correct, how ever if you have a large number of machines. a good way would be to use /etc/sudoers.d. if you look at the sudoers file, it is included at the end of the file:

" #includedir /private/etc/sudoers.d "

so if you create the /private/etc/sudoers.d directory
and add a file called tcpdump with the contents from above
That would also do the job, without touching the etc/sudoers file, in case you needed to delegate or if you wanted to script or automate

Larry

Nmangal
New Contributor III

@AVmcclint which privileged commands users can't run, who are added in _Developer group?