Script/Policy/Config to add users to sudoers file?

EmDee
New Contributor III

Does anybody have a script that can be run on a network account, to automatically add it to the sudoers file?

We have several developers that will need to work with some code and use some sudo commands, that we do not want to have Admin access

I'm aware this is splitting hairs somewhat

6 REPLIES 6

perrycj
Contributor II

I am fairly certain (though not 100%) that you can't automate this. Mostly because you can only edit the sudoers file with the following command:

sudo visudo

After that, you have to go to a specific spot in that file and add the username(s) you want to be sudoers. It has to be in this format:

username ALL=(ALL) ALL

Then you have to hit the ESC key to stop editing the file and then hit the : key and then type “wq” followed by the Return key to save changes and exit vi. Not sure all that can be put into a script.

Nix4Life
Valued Contributor

It can be automated. See my post here
and here is rich's post for syntax

bwoods
Contributor II

Hi everyone, my secadmin team wants to remove admin rights for all of my users. I initially thought that the Jamf Connect Login P.A.M module was able to do this, but I was mistaken. the P.A.M module only allows you to run sudo commands and use a cloud identity provider to enter your password. Since I couldn't use P.A.M, I created a simple script that would make it possible to run sudo commands without an admin account based on all of the information you all provided. Thanks to everyone for pointing me in the right direction.

  1. Make sure to run this script with a Jamf policy
  2. I've included security features to prevent users from editing System Preferences, attempting to remove the Jamf Binary, and editing the sudoers file.
#!/bin/bash

# Identify the username of the logged-in user

currentUser=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");'`

# Create file named "standard" and place in /private/tmp/

touch /private/tmp/standard 

# Populate "standard" file with desired permissions

echo "$currentUser ALL= (ALL) ALL
$currentUser    ALL= !/usr/bin/passwd root, !/usr/bin/defaults, !/usr/sbin/visudo, !/usr/bin/vi /etc/sudoers, !/usr/bin/vi /private/etc/sudoers, !/usr/bin/sudo -e /etc/sudoers, !/usr/bin/sudo -e /private/etc/sudoers, !/usr/local/bin/jamf" >> /private/tmp/standard

# Move "standard" file to /etc/sudoers.d

mv /private/tmp/standard /etc/sudoers.d

# Change permissions for "standard" file

chmod 644 /etc/sudoers.d/standard

exit 0;     ## Sucess
exit 1;     ## Failure

Mack-OODA
New Contributor II

@bwoods tried your script but received below syntax. Any thoughts? 

Script result: File "<string>", line 1
from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + " ^ SyntaxError: EOL while scanning string literal

bwoods
Contributor II

@Mack-OODA  try removing the python to determine the current user. That will be depreciated in Monterey. Use the variable below instead. 

# Determine Current User
currentUser=$( scutil <<< "show State:/Users/ConsoleUser" | awk '/Name 😕 && ! /loginwindow/ { print $3 }' )

bwoods
Contributor II

Also, ensure that you are testing this via self service or by summoning the policy with terminal.