Problems elevating via Sudo in terminal on Ventura for admin group users

L-plateAdmin
Contributor

Sorry if this has been hinted at before, its a weird one...   we have been using a corporatised script takes from the bones of the "Make me an Admin" script and have been using it in one way or another for 6 years..

for those who dont know it, it adds a standard or mobile user into the 'admin' (id:80) defualt group for a certan period of time before a launchdameon cuts it off:-

/usr/sbin/dseditgroup -o edit -a $user -t user admin

so Monterey and below that has always allowed a user to enter a password to install a package or unlock a padlock, as well as sudo and su themselves on a terminal to use admin commands there... except I cant get this to work on 13.5.2, i can install a pkg graphicly, but I cant use sudo or sudo -s to get a root terminal to run it on the command line via /sbin/installer

installer works when i have used the jamf management account to sudo -s with its complex password... so dont know why users dropped into the admin group cannot do that? if no i will raise a case to apple as well see if there is a new restirctions they have kept quiet..

 

 

1 REPLY 1

AJPinto
Honored Contributor III

Have you broken down the elements of the script and see if it works if you manually add someone to the admin group with CLI?

 

Can you share your script? 13.5.2 was a security update, there is at least a chance it could have patched this functions ability to work. We use a tool called CyberArk EPM to handle permissions escalation to get that off the MDM as Apple does not really want MDM's doing this.