Help

Modify visudo

jtaveras
New Contributor III

Posted on ‎10-31-2016 12:56 PM

hi All,
Pretty new to JAMF and i would like to know if anyone has a doc I can read on how to add a line to the visudo settings.
Right now its a manual process every time i provision a laptop but i would like to script this.
I have search and there are so many answers and none officially supported by JAMF.

I now just do sudo visudo
edit the file
write/quit and save the file.

Any help is appreciated

Labels:
0 Kudos
Reply
8 REPLIES 8

Nix4Life
Valued Contributor

Posted on ‎10-31-2016 02:14 PM

@jtaveras

you could possible automate it by writing to the drop folder /private/etc/sudoers.d. I do this with puppet to setup local admins for our science lab. if you could provide some context I am sure we can help you out

LS

0 Kudos
Reply

jtaveras
New Contributor III

Posted on ‎11-10-2016 02:00 PM

So im binding my macs to Active directory but using pre-stage is not working at the moment. So doing a manual bind does not create the right users. Example if i enroll my macs via pre-stage with bind, the users are admin,managed and mobile. This is the desired outcome.
but when binding manually not on DEP, it creates an admin,managed account but not mobile. even when settings are set to do it. I have opened a thicket with JAMF already..

So my workaround (using it before jam) is to edit the file by issuing sudo visudo, and adding out line of code.
then we run a script manually to bind the macs to AD and the accounts get created perfectly.

This is until Jamf can find out a solution for me.

Thanks

0 Kudos
Reply

Nix4Life
Valued Contributor

Posted on ‎11-14-2016 09:35 AM

@jtaveras you could add something like this to your script:

touch /etc/sudoers.d/mobile
echo " yourlineofcodehere" >> /etc/sudoers.d/mobile

or place a file called "mobile" at /etc/sudoers.d with your code as the content

0 Kudos
Reply

jtaveras
New Contributor III

Posted on ‎11-14-2016 11:32 AM

Thanks i will try that. I just started with Casper and im struggling with some things.

BTW i see your nick says NY are you in NYC?

0 Kudos
Reply

bwoods
Valued Contributor

‎09-22-2020 03:40 PM - edited ‎03-23-2022 07:24 AM

Hi everyone, my secadmin team wants to remove admin rights for all of my users. I initially thought that the Jamf Connect Login P.A.M module was able to do this, but I was mistaken. the P.A.M module only allows you to run sudo commands and use a cloud identity provider to enter your password. Since I couldn't use P.A.M, I created a simple script that would make it possible to run sudo commands without an admin account based on all of the information you all provided. Thanks to everyone for pointing me in the right direction.

  1. Make sure to run this script with a Jamf policy
  2. I've included security features to prevent users from editing System Preferences, attempting to remove the Jamf Binary, and editing the sudoers file.
#!/bin/bash

# Identify the username of the logged-in user

currentUser=$( scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }' )


# Create file named "standard" and place in /private/tmp/

touch /private/tmp/standard 

# Populate "standard" file with desired permissions

echo "$currentUser	ALL= (ALL) ALL
$currentUser	ALL= !/usr/bin/passwd root, !/usr/bin/defaults, !/usr/sbin/visudo, !/usr/bin/vi /etc/sudoers, !/usr/bin/vi /private/etc/sudoers, !/usr/bin/sudo -e /etc/sudoers, !/usr/bin/sudo -e /private/etc/sudoers, !/usr/local/bin/jamf" >> /private/tmp/standard

# Move "standard" file to /etc/sudoers.d

mv /private/tmp/standard /etc/sudoers.d

# Change permissions for "standard" file

chmod 644 /etc/sudoers.d/standard

exit 0;		## Sucess
exit 1;		## Failure
0 Kudos
Reply

mani2care
Contributor
In response to bwoods

Posted on ‎08-16-2021 04:15 AM

its creating a issue with terminal

as like below

it may need some changes on the script can you check this

 

when i runn the script its gets as like terminal

0 Kudos
Reply

mani2care
Contributor

Posted on ‎08-16-2021 03:48 AM

when i tried this command im getting this error

NTS-IT-001:~ manikandan.raju$ sudo whoami
/private/etc/sudoers.d/standard:1:32: syntax error
manikandan.raju ALL= (ALL) ALL manikandan.raju ALL= !/usr/bin/passwd root, !/usr/bin/defaults, !/usr/sbin/visudo, !/usr/bin/vi /etc/sudoers, !/usr/bin/vi /private/etc/sudoers, !/usr/bin/sudo -e /etc/sudoers, !/usr/bin/sudo -e /private/etc/sudoers, !/usr/local/bin/jamf
^~~~~~~~~~~~~~~
root
NTS-IT-001:~ manikandan.raju$ sudo whoami
/private/etc/sudoers.d/standard:1:32: syntax error
manikandan.raju ALL= (ALL) ALL manikandan.raju ALL= !/usr/bin/passwd root, !/usr/bin/defaults, !/usr/sbin/visudo, !/usr/bin/vi /etc/sudoers, !/usr/bin/vi /private/etc/sudoers, !/usr/bin/sudo -e /etc/sudoers, !/usr/bin/sudo -e /private/etc/sudoers, !/usr/local/bin/jamf
^~~~~~~~~~~~~~~
root
NTS-IT-001:~ manikandan.raju$ sudo visudo -f /etc/sudoers
/private/etc/sudoers.d/standard:1:32: syntax error
manikandan.raju ALL= (ALL) ALL manikandan.raju ALL= !/usr/bin/passwd root, !/usr/bin/defaults, !/usr/sbin/visudo, !/usr/bin/vi /etc/sudoers, !/usr/bin/vi /private/etc/sudoers, !/usr/bin/sudo -e /etc/sudoers, !/usr/bin/sudo -e /private/etc/sudoers, !/usr/local/bin/jamf
^~~~~~~~~~~~~~~
/private/etc/sudoers.d/standard:1:32: syntax error
manikandan.raju ALL= (ALL) ALL manikandan.raju ALL= !/usr/bin/passwd root, !/usr/bin/defaults, !/usr/sbin/visudo, !/usr/bin/vi /etc/sudoers, !/usr/bin/vi /private/etc/sudoers, !/usr/bin/sudo -e /etc/sudoers, !/usr/bin/sudo -e /private/etc/sudoers, !/usr/local/bin/jamf
^~~~~~~~~~~~~~~

 

0 Kudos
Reply

bwoods
Valued Contributor

‎08-16-2021 07:46 AM - edited ‎08-16-2021 07:47 AM

@mani2care , run this from a jamf policy. Do not run it from your user account.

0 Kudos
Reply