Does anybody have a script that can be run on a network account, to automatically add it to the sudoers file?
We have several developers that will need to work with some code and use some sudo commands, that we do not want to have Admin access
I'm aware this is splitting hairs somewhat
I am fairly certain (though not 100%) that you can't automate this. Mostly because you can only edit the sudoers file with the following command:
After that, you have to go to a specific spot in that file and add the username(s) you want to be sudoers. It has to be in this format:
username ALL=(ALL) ALL
Then you have to hit the ESC key to stop editing the file and then hit the : key and then type “wq” followed by the Return key to save changes and exit vi. Not sure all that can be put into a script.
Hi everyone, my secadmin team wants to remove admin rights for all of my users. I initially thought that the Jamf Connect Login P.A.M module was able to do this, but I was mistaken. the P.A.M module only allows you to run sudo commands and use a cloud identity provider to enter your password. Since I couldn't use P.A.M, I created a simple script that would make it possible to run sudo commands without an admin account based on all of the information you all provided. Thanks to everyone for pointing me in the right direction.
#!/bin/bash # Identify the username of the logged-in user currentUser=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None]); username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + " ");'` # Create file named "standard" and place in /private/tmp/ touch /private/tmp/standard # Populate "standard" file with desired permissions echo "$currentUser ALL= (ALL) ALL $currentUser ALL= !/usr/bin/passwd root, !/usr/bin/defaults, !/usr/sbin/visudo, !/usr/bin/vi /etc/sudoers, !/usr/bin/vi /private/etc/sudoers, !/usr/bin/sudo -e /etc/sudoers, !/usr/bin/sudo -e /private/etc/sudoers, !/usr/local/bin/jamf" >> /private/tmp/standard # Move "standard" file to /etc/sudoers.d mv /private/tmp/standard /etc/sudoers.d # Change permissions for "standard" file chmod 644 /etc/sudoers.d/standard exit 0; ## Sucess exit 1; ## Failure
@bwoods tried your script but received below syntax. Any thoughts?
Script result: File "<string>", line 1
from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None]); username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + " ^ SyntaxError: EOL while scanning string literal