Posted on 07-10-2017 01:29 AM
Does anybody have a script that can be run on a network account, to automatically add it to the sudoers file?
We have several developers that will need to work with some code and use some sudo commands, that we do not want to have Admin access
I'm aware this is splitting hairs somewhat
Posted on 07-10-2017 06:13 AM
I am fairly certain (though not 100%) that you can't automate this. Mostly because you can only edit the sudoers file with the following command:
sudo visudo
After that, you have to go to a specific spot in that file and add the username(s) you want to be sudoers. It has to be in this format:
username ALL=(ALL) ALL
Then you have to hit the ESC key to stop editing the file and then hit the : key and then type “wq” followed by the Return key to save changes and exit vi. Not sure all that can be put into a script.
Posted on 07-10-2017 06:21 AM
Posted on 09-22-2020 03:42 PM
Hi everyone, my secadmin team wants to remove admin rights for all of my users. I initially thought that the Jamf Connect Login P.A.M module was able to do this, but I was mistaken. the P.A.M module only allows you to run sudo commands and use a cloud identity provider to enter your password. Since I couldn't use P.A.M, I created a simple script that would make it possible to run sudo commands without an admin account based on all of the information you all provided. Thanks to everyone for pointing me in the right direction.
#!/bin/bash
# Identify the username of the logged-in user
currentUser=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");'`
# Create file named "standard" and place in /private/tmp/
touch /private/tmp/standard
# Populate "standard" file with desired permissions
echo "$currentUser ALL= (ALL) ALL
$currentUser ALL= !/usr/bin/passwd root, !/usr/bin/defaults, !/usr/sbin/visudo, !/usr/bin/vi /etc/sudoers, !/usr/bin/vi /private/etc/sudoers, !/usr/bin/sudo -e /etc/sudoers, !/usr/bin/sudo -e /private/etc/sudoers, !/usr/local/bin/jamf" >> /private/tmp/standard
# Move "standard" file to /etc/sudoers.d
mv /private/tmp/standard /etc/sudoers.d
# Change permissions for "standard" file
chmod 644 /etc/sudoers.d/standard
exit 0; ## Sucess
exit 1; ## Failure
Posted on 11-17-2021 08:01 AM
Hi @bwoods ,
This works perfectly although I've found one flaw which i was wondering if you knew how to fix. If I run sudo -s or sudo su I'm given the full root sudo access even with the restrictions in the standard file.
Have you got a fix for this? I cant find anywhere to disable access to running su or -s
11-19-2021 09:43 AM - edited 11-19-2021 09:49 AM
Hi @perryd84,
Please give my script below a shot. Thanks for pointing that out! I don't know why Jamf Nation keeps inserting that happy face in my script.
#!/bin/bash
# Identify the username of the logged-in user
currentUser=$( scutil <<< "show State:/Users/ConsoleUser" | awk '/Name 😕 && ! /loginwindow/ { print $3 }' )
# Create file named "standard" and place in /private/tmp/
touch /private/tmp/standard
# Populate "standard" file with desired permissions
echo "$currentUser ALL= (ALL) ALL
$currentUser ALL= !/usr/bin/passwd root, !/usr/bin/defaults, !/usr/sbin/visudo, !/usr/bin/vi /etc/sudoers, !/usr/bin/vi /private/etc/sudoers, !/usr/bin/sudo -e /etc/sudoers, !/usr/bin/sudo -e /private/etc/sudoers, !/usr/local/bin/jamf, !/usr/bin/su, !/usr/bin/sudo -s " >> /private/tmp/standard
# Move "standard" file to /etc/sudoers.d
mv /private/tmp/standard /etc/sudoers.d
# Change permissions for "standard" file
chmod 644 /etc/sudoers.d/standard
exit 0; ## Sucess
exit 1; ## Failure
Posted on 11-19-2021 12:23 PM
Thanks for the reply. I managed to figure it out the other day and also found that sudo -i runs the terminal at root level as well.
To stop these "loop holes" I added the following to your disallowed list:
!/usr/bin/su, !/bin/bash, !/bin/sh
This stops the user being able to run sudo su, sudo -s and sudo -i
11-19-2021 12:35 PM - edited 11-19-2021 12:36 PM
Ah, good find...adding this to my notes. Thanks again for looking into this.
Posted on 10-31-2023 12:03 AM
I tried to follow your suggestions to disallow sudo -s, but it seems not working on Ventura and Sonoma, I can still run sudo -s after having the full command in sudoer file, any thoughts on that?
11-16-2022 12:10 PM - edited 11-16-2022 12:33 PM
# Determine Current User currentUser=$( scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }' )
What should the line be?
Posted on 08-15-2023 02:20 PM
My InfoSec team is making a similar request as yours. I've tried running your above script via JAMF (with the user look up adjusted for new OS's), and it is coming back with no errors, however the logged in user is still being told they "may not run sudo". Any thoughts?
Posted on 09-13-2021 01:53 PM
@bwoods tried your script but received below syntax. Any thoughts?
Script result: File "<string>", line 1
from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + " ^ SyntaxError: EOL while scanning string literal
Posted on 09-14-2021 11:35 AM
@Mack-OODA try removing the python to determine the current user. That will be depreciated in Monterey. Use the variable below instead.
# Determine Current User
currentUser=$( scutil <<< "show State:/Users/ConsoleUser" | awk '/Name 😕 && ! /loginwindow/ { print $3 }' )
09-14-2021 11:36 AM - edited 09-14-2021 11:37 AM
Also, ensure that you are testing this via self service or by summoning the policy with terminal.
Posted on 02-11-2023 01:57 AM
Hi @bwoods - Firstly appreciate your effort for finding a solution around this admin access.
Currently I am also looking for a solution around automating admin access requests without providing GUI based admin and limit the end user only via terminal to achieve their desired tasks
Questions:-
1. Does your script suffice my requirement to automate admin access request for software installation and downloading the codes from GitHub/setting up a environment?
2. Once I run your script via Self Service, do I have to think about reverting any values/configs or will it affect the /etc/sudoers file?
3. Can you please list the used case for using your script which would really help me in implementing
Awaiting for your earliest response...
Thanks again.
Kishoth
Posted on 02-14-2023 01:11 PM
Hello Kishoth,
I wouldn't say that my script above is the solution for admin users. It's just a workaround for providing sudo access. Revoking admin rights for devs would require a system like beyond trust or cyberark. Even with these products the process is difficult.