Modify visudo

jtaveras
New Contributor III

hi All,
Pretty new to JAMF and i would like to know if anyone has a doc I can read on how to add a line to the visudo settings.
Right now its a manual process every time i provision a laptop but i would like to script this.
I have search and there are so many answers and none officially supported by JAMF.

I now just do sudo visudo
edit the file
write/quit and save the file.

Any help is appreciated

8 REPLIES 8

Nix4Life
Valued Contributor

@jtaveras

you could possible automate it by writing to the drop folder /private/etc/sudoers.d. I do this with puppet to setup local admins for our science lab. if you could provide some context I am sure we can help you out

LS

jtaveras
New Contributor III

So im binding my macs to Active directory but using pre-stage is not working at the moment. So doing a manual bind does not create the right users. Example if i enroll my macs via pre-stage with bind, the users are admin,managed and mobile. This is the desired outcome.
but when binding manually not on DEP, it creates an admin,managed account but not mobile. even when settings are set to do it. I have opened a thicket with JAMF already..

So my workaround (using it before jam) is to edit the file by issuing sudo visudo, and adding out line of code.
then we run a script manually to bind the macs to AD and the accounts get created perfectly.

This is until Jamf can find out a solution for me.

Thanks

Nix4Life
Valued Contributor

@jtaveras you could add something like this to your script:

touch /etc/sudoers.d/mobile
echo " yourlineofcodehere" >> /etc/sudoers.d/mobile

or place a file called "mobile" at /etc/sudoers.d with your code as the content

jtaveras
New Contributor III

Thanks i will try that. I just started with Casper and im struggling with some things.

BTW i see your nick says NY are you in NYC?

bwoods
Valued Contributor

Hi everyone, my secadmin team wants to remove admin rights for all of my users. I initially thought that the Jamf Connect Login P.A.M module was able to do this, but I was mistaken. the P.A.M module only allows you to run sudo commands and use a cloud identity provider to enter your password. Since I couldn't use P.A.M, I created a simple script that would make it possible to run sudo commands without an admin account based on all of the information you all provided. Thanks to everyone for pointing me in the right direction.

  1. Make sure to run this script with a Jamf policy
  2. I've included security features to prevent users from editing System Preferences, attempting to remove the Jamf Binary, and editing the sudoers file.
#!/bin/bash

# Identify the username of the logged-in user

currentUser=$( scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }' )


# Create file named "standard" and place in /private/tmp/

touch /private/tmp/standard 

# Populate "standard" file with desired permissions

echo "$currentUser	ALL= (ALL) ALL
$currentUser	ALL= !/usr/bin/passwd root, !/usr/bin/defaults, !/usr/sbin/visudo, !/usr/bin/vi /etc/sudoers, !/usr/bin/vi /private/etc/sudoers, !/usr/bin/sudo -e /etc/sudoers, !/usr/bin/sudo -e /private/etc/sudoers, !/usr/local/bin/jamf" >> /private/tmp/standard

# Move "standard" file to /etc/sudoers.d

mv /private/tmp/standard /etc/sudoers.d

# Change permissions for "standard" file

chmod 644 /etc/sudoers.d/standard

exit 0;		## Sucess
exit 1;		## Failure

its creating a issue with terminal

as like below

it may need some changes on the script can you check this

 

when i runn the script its gets as like terminal

mani2care
Contributor

when i tried this command im getting this error

NTS-IT-001:~ manikandan.raju$ sudo whoami
/private/etc/sudoers.d/standard:1:32: syntax error
manikandan.raju ALL= (ALL) ALL manikandan.raju ALL= !/usr/bin/passwd root, !/usr/bin/defaults, !/usr/sbin/visudo, !/usr/bin/vi /etc/sudoers, !/usr/bin/vi /private/etc/sudoers, !/usr/bin/sudo -e /etc/sudoers, !/usr/bin/sudo -e /private/etc/sudoers, !/usr/local/bin/jamf
^~~~~~~~~~~~~~~
root
NTS-IT-001:~ manikandan.raju$ sudo whoami
/private/etc/sudoers.d/standard:1:32: syntax error
manikandan.raju ALL= (ALL) ALL manikandan.raju ALL= !/usr/bin/passwd root, !/usr/bin/defaults, !/usr/sbin/visudo, !/usr/bin/vi /etc/sudoers, !/usr/bin/vi /private/etc/sudoers, !/usr/bin/sudo -e /etc/sudoers, !/usr/bin/sudo -e /private/etc/sudoers, !/usr/local/bin/jamf
^~~~~~~~~~~~~~~
root
NTS-IT-001:~ manikandan.raju$ sudo visudo -f /etc/sudoers
/private/etc/sudoers.d/standard:1:32: syntax error
manikandan.raju ALL= (ALL) ALL manikandan.raju ALL= !/usr/bin/passwd root, !/usr/bin/defaults, !/usr/sbin/visudo, !/usr/bin/vi /etc/sudoers, !/usr/bin/vi /private/etc/sudoers, !/usr/bin/sudo -e /etc/sudoers, !/usr/bin/sudo -e /private/etc/sudoers, !/usr/local/bin/jamf
^~~~~~~~~~~~~~~
/private/etc/sudoers.d/standard:1:32: syntax error
manikandan.raju ALL= (ALL) ALL manikandan.raju ALL= !/usr/bin/passwd root, !/usr/bin/defaults, !/usr/sbin/visudo, !/usr/bin/vi /etc/sudoers, !/usr/bin/vi /private/etc/sudoers, !/usr/bin/sudo -e /etc/sudoers, !/usr/bin/sudo -e /private/etc/sudoers, !/usr/local/bin/jamf
^~~~~~~~~~~~~~~

 

bwoods
Valued Contributor

@mani2care , run this from a jamf policy. Do not run it from your user account.