sed help

jhuls
Contributor III

I've been tasked with working on a script that removes the following from /etc/sudoers and replaces with a specific account name.

%admin ALL=(ALL) ALL
specificAccountName ALL=(ALL) ALL

I have this working with sed on OS X 10.10 and 10.11 but under 10.9 it fails. It seems that in 10.10 and 10.11 spaces were used between %admin and ALL but in 10.9 the powers that be used a tab. In looking online the only stuff I can find that states how to work with a tab in sed is to do a CTRL-V and then hit TAB. This doesn't apply when working in the editor in Casper. I've not tried importing a script so maybe that's an option and see if it'll maintain that code.

Does anyone have a better idea or if the import idea I mentioned fails...simply an idea period? I'm not an expert in shell scripting or sed for that matter. I read where someone recommended awk instead of sed so I haven't dug into that yet. I thought I would ask here in case awk might run into the same issue.

10 REPLIES 10

mpermann
Valued Contributor II

@jhuls I belive I've read in other threads that you need to use visudo to make those edits to make sure you don't mess up the file. But that's about the extent of my knowledge. Maybe some others can give some more details.

davidacland
Honored Contributor II
Honored Contributor II

Can you just use sed -i 's/<tab>//g' (replacing <tab> with an actual tab?

That being said, visudo would be best as I believe it does error checking to avoid catastrophes!

jhuls
Contributor III

@davidacland I've tried putting an actual tab in there and it didn't work. As far as visudo I'm not aware of a method to script it.

mpermann
Valued Contributor II

@jhuls have a look at @rtrouton's response in this thread. It seems like some folks are editing the file then backing up the original and dropping in the edited version. Maybe that method would work for you.

jhuls
Contributor III

@mpermann Thanks...I've considered that but then from what I can see I lose any customizing per machine. We're looking to automate that the change above happens which would be the account needed for Casper to operate and then on various machines we might need to customize particular users who have access to root.

While typing this though it occurred to me that maybe I could create a standard sudoers file without the tabs and then run a script after it that customizes it as needed. That seems like an option but was really hoping to learn of a method to address the tab purely via scripting.

jbmaruh
New Contributor III

I'm sure there's a far better way around doing this but this is what I had to do testing it just now. Using control+v and then a tab insert output to a file.

In Terminal with a random tabbed file in a tmp folder.

sed 's/^V<tab>//g'

So doing something like this to output it:

echo "cat /private/tmp/test.txt | sed 's/ //g'" > test.sh

This is what was output to the shell file, worked fine removing tabs in the text file when ran as a script.

cat /private/tmp/test.txt | sed 's/ //g'

Copy pasting it from within Atom seemed to work fine. Pasting into Terminal did not. Didn't test any other areas or too much more out of it. I'm sure someone has a better way of using a tab from a script, \t did not seem to work, and I didn't notice any other ways of inserting a special character.

jholland
New Contributor III

Use a regex to replace any character between "%admin" and "ALL" with a space, anchoring with "%" and "=".

#!/bin/sh
cat /private/tmp/test.txt | sed 's/%admin.*ALL=/%admin ALL=/g'

jhuls
Contributor III

@jholland Thanks! Early testing of this looks good. I was hoping there was a way to do that.

I've got a lot to learn with scripting again but at least it's fun working my way through it. I've done more scripting on Windows and Amiga than Mac and Linux and that was 5 years ago on Windows(command line) and almost 25 on Amiga(arexx and I remember nothing of it now other than how to spell it). Now if there just weren't deadlines attached to these projects. lol

sean
Valued Contributor

You don't need to worry about the tab, you are only trying to replace the text:

# echome="%admin	ALL=(ALL) ALL"; echo $echome | sed 's/%admin/specificAccountName/g'
specificAccountName ALL=(ALL) ALL

The tab is preserved

To answer the question though,

# echome="Hello there" ; echo $echome | sed 's/ /'$'	''/g'
Hello   there

and yes, in theory visudo should be used to edit this file, since if you get it wrong you've kind of got an issue.

Have to ask though, why not just remove people from being admins, rather than making them admins and then try and prevent them from being admins?

jhuls
Contributor III

@sean Thanks...I'll be sure to look through what you have there but jholland's is working perfectly thus far.

To answer your question about removing admin from our users. I would love to but there are politics involved. Our new CIO requested that I pursue this for now so I'm following orders. This came about after I noticed how easy it is for an admin level user to access mounted drives of another user if they get root access. This isn't a perfect solution by any means but it's a roadblock of sorts for now. Due to the loose nature on security here(which is now being worked on) our CIO was concerned about this so this was the direction he wanted to go until we can accomplish removing admin from most if not all users.