Script/Policy/Config to add users to sudoers file?

EmDee
New Contributor III

Does anybody have a script that can be run on a network account, to automatically add it to the sudoers file?

We have several developers that will need to work with some code and use some sudo commands, that we do not want to have Admin access

I'm aware this is splitting hairs somewhat

15 REPLIES 15

perrycj
Contributor III

I am fairly certain (though not 100%) that you can't automate this. Mostly because you can only edit the sudoers file with the following command:

sudo visudo

After that, you have to go to a specific spot in that file and add the username(s) you want to be sudoers. It has to be in this format:

username ALL=(ALL) ALL

Then you have to hit the ESC key to stop editing the file and then hit the : key and then type “wq” followed by the Return key to save changes and exit vi. Not sure all that can be put into a script.

Nix4Life
Valued Contributor

It can be automated. See my post here
and here is rich's post for syntax

bwoods
Valued Contributor

Hi everyone, my secadmin team wants to remove admin rights for all of my users. I initially thought that the Jamf Connect Login P.A.M module was able to do this, but I was mistaken. the P.A.M module only allows you to run sudo commands and use a cloud identity provider to enter your password. Since I couldn't use P.A.M, I created a simple script that would make it possible to run sudo commands without an admin account based on all of the information you all provided. Thanks to everyone for pointing me in the right direction.

  1. Make sure to run this script with a Jamf policy
  2. I've included security features to prevent users from editing System Preferences, attempting to remove the Jamf Binary, and editing the sudoers file.
#!/bin/bash

# Identify the username of the logged-in user

currentUser=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");'`

# Create file named "standard" and place in /private/tmp/

touch /private/tmp/standard 

# Populate "standard" file with desired permissions

echo "$currentUser ALL= (ALL) ALL
$currentUser    ALL= !/usr/bin/passwd root, !/usr/bin/defaults, !/usr/sbin/visudo, !/usr/bin/vi /etc/sudoers, !/usr/bin/vi /private/etc/sudoers, !/usr/bin/sudo -e /etc/sudoers, !/usr/bin/sudo -e /private/etc/sudoers, !/usr/local/bin/jamf" >> /private/tmp/standard

# Move "standard" file to /etc/sudoers.d

mv /private/tmp/standard /etc/sudoers.d

# Change permissions for "standard" file

chmod 644 /etc/sudoers.d/standard

exit 0;     ## Sucess
exit 1;     ## Failure

Hi @bwoods ,

This works perfectly although I've found one flaw which i was wondering if you knew how to fix. If I run sudo -s or sudo su I'm given the full root sudo access even with the restrictions in the standard file.
Have you got a fix for this? I cant find anywhere to disable access to running su or -s

 

bwoods
Valued Contributor

Hi @perryd84,

 

Please give my script below a shot. Thanks for pointing that out! I don't know why Jamf Nation keeps inserting that happy face in my script. 

#!/bin/bash

# Identify the username of the logged-in user

currentUser=$( scutil <<< "show State:/Users/ConsoleUser" | awk '/Name 😕 && ! /loginwindow/ { print $3 }' )

# Create file named "standard" and place in /private/tmp/

touch /private/tmp/standard 

# Populate "standard" file with desired permissions

echo "$currentUser ALL= (ALL) ALL
$currentUser    ALL= !/usr/bin/passwd root, !/usr/bin/defaults, !/usr/sbin/visudo, !/usr/bin/vi /etc/sudoers, !/usr/bin/vi /private/etc/sudoers, !/usr/bin/sudo -e /etc/sudoers, !/usr/bin/sudo -e /private/etc/sudoers, !/usr/local/bin/jamf, !/usr/bin/su, !/usr/bin/sudo -s " >> /private/tmp/standard

# Move "standard" file to /etc/sudoers.d

mv /private/tmp/standard /etc/sudoers.d

# Change permissions for "standard" file

chmod 644 /etc/sudoers.d/standard

exit 0;     ## Sucess
exit 1;     ## Failure

  

Thanks for the reply. I managed to figure it out the other day and also found that sudo -i runs the terminal at root level as well.
To stop these "loop holes" I added the following to your disallowed list:
!/usr/bin/su, !/bin/bash, !/bin/sh
This stops the user being able to run sudo su, sudo -s and sudo -i

bwoods
Valued Contributor

Ah, good find...adding this to my notes. Thanks again for looking into this.

I tried to follow your suggestions to disallow sudo -s, but it seems not working on Ventura and Sonoma, I can still run sudo -s after having the full command in sudoer file, any thoughts on that?

fabiola
New Contributor

# Determine Current User currentUser=$( scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }' )

What should the line be? 

My InfoSec team is making a similar request as yours. I've tried running your above script via JAMF (with the user look up adjusted for new OS's), and it is coming back with no errors, however the logged in user is still being told they "may not run sudo". Any thoughts?

Mack-OODA
New Contributor II

@bwoods tried your script but received below syntax. Any thoughts? 

Script result: File "<string>", line 1
from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + " ^ SyntaxError: EOL while scanning string literal

bwoods
Valued Contributor

@Mack-OODA  try removing the python to determine the current user. That will be depreciated in Monterey. Use the variable below instead. 

# Determine Current User
currentUser=$( scutil <<< "show State:/Users/ConsoleUser" | awk '/Name 😕 && ! /loginwindow/ { print $3 }' )

bwoods
Valued Contributor

Also, ensure that you are testing this via self service or by summoning the policy with terminal.

kishoth_p
New Contributor III

Hi @bwoods - Firstly appreciate your effort for finding a solution around this admin access.

Currently I am also looking for a solution around automating admin access requests without providing GUI based admin and limit the end user only via terminal to achieve their desired tasks

Questions:-

1. Does your script suffice my requirement to automate admin access request for software installation and downloading the codes from GitHub/setting up a environment?

2. Once I run your script via Self Service, do I have to think about reverting any values/configs or will it affect the /etc/sudoers file?

3. Can you please list the used case for using your script which would really help me in implementing 

Awaiting for your earliest response...

Thanks again.

Kishoth

bwoods
Valued Contributor

Hello Kishoth,

I wouldn't say that my script above is the solution for admin users. It's just a workaround for providing sudo access. Revoking admin rights for devs would  require a system like beyond trust or cyberark. Even with these products the process is difficult.