Remove sudoers using scriptBash shell script to locate and remove substring within a filenameUsing visudo to edit sudoers on MacI added my username to /etc/sudoers but using sudo still asks for passwordHow to solve “User is not in sudoers file, incident reported”Sudoers file plistAdded myself to /etc/sudoers but sudo still asks for passwordFixing /etc/sudoers fileIs there a security concern when adding a user to sudoers?Connect and run commands over SSH using script
ignoring potentiometer value variations
What happens to a Bladesinger reincarnated as a Human?
How are synthesizers used in music production?
Continents with simplex noise
Is "I can eat a glass" a good translation of "私はガラスを食べられます"?
Does the FIDE 75-move rule apply after checkmate or resignation?
What color should I use for the walls and ceiling of a photography studio?
I am having some trouble understanding the beginning of a story
What is more proper notation in piano sheet music to denote that the left hand should be louder?
Tikz: Impulse response vs. pole location
Regarding asking for writing about some courses in my CV in which I got bad grades due to my non interest in those courses
How does AT-AT deploy troops?
Hell0 W0rld! scored by ASCII values
How do Precipitation Reactions behave in the Absence of Gravity?
Will there be a vote in the Commons to decide the fate of Johnson's deal?
How does an aircraft descend without its nose pointing down?
Command which removes data left side of ";" (semicolon) on each row
How did the T-850 still function after it removed its second battery?
Where do overtones in a 555 generated square wave come from?
Meaning of "in arms"
Can tankless & conventional water heaters join forces?
Tikz: Arranging of a Table with Tikz elements
What is the difference between an adjective and a noun modifier?
What game(s) does Michael play in Mind Field S2E4?
Remove sudoers using script
Bash shell script to locate and remove substring within a filenameUsing visudo to edit sudoers on MacI added my username to /etc/sudoers but using sudo still asks for passwordHow to solve “User is not in sudoers file, incident reported”Sudoers file plistAdded myself to /etc/sudoers but sudo still asks for passwordFixing /etc/sudoers fileIs there a security concern when adding a user to sudoers?Connect and run commands over SSH using script
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty
margin-bottom:0;
At the moment I'm working on a solution to prevent all admins users (except one particular) from running sudo. I can add a specific user to sudoers by running:
sudo -i
echo '$username ALL=(ALL:ALL) ALL' >> /etc/sudoers
Then I'd like to remove %admin ALL = (ALL) ALL within sudoers file which would just leave the above admin as the only sudo admin. However I cannot seem to find a way on how to remove/replace a particular string within sudoers.
I'd like to make this into a script hence using visudo and manually adjusting won't work for me. If there a way to run visudo from script and adjust a particular line within sudoers that would be ideal, but I couldn't find anything when researching on the Web.
I've seen a solution here:
- https://www.ibm.com/developerworks/community/blogs/brian/entry/edit_sudoers_file_from_a_script4?lang=en
which works in Linux. Is it possible to make it work in macOS?
macos command-line bash sudo
add a comment
|
At the moment I'm working on a solution to prevent all admins users (except one particular) from running sudo. I can add a specific user to sudoers by running:
sudo -i
echo '$username ALL=(ALL:ALL) ALL' >> /etc/sudoers
Then I'd like to remove %admin ALL = (ALL) ALL within sudoers file which would just leave the above admin as the only sudo admin. However I cannot seem to find a way on how to remove/replace a particular string within sudoers.
I'd like to make this into a script hence using visudo and manually adjusting won't work for me. If there a way to run visudo from script and adjust a particular line within sudoers that would be ideal, but I couldn't find anything when researching on the Web.
I've seen a solution here:
- https://www.ibm.com/developerworks/community/blogs/brian/entry/edit_sudoers_file_from_a_script4?lang=en
which works in Linux. Is it possible to make it work in macOS?
macos command-line bash sudo
At first glance the solution on the linked page should also work in macOS. Can you add some details on where/how exactly it fails? Also, as this is basically a "how do I delete a specific line from a text file with a script" type of question, what other kind of research have you already done
– nohillside♦
Jun 2 at 8:27
PS: I won't go on to list the various ways how any admin user not part ofsudoerscan easily get theirsudorights back...
– nohillside♦
Jun 2 at 8:28
PPS: But you may want to use double quotes instead of single quotes in yourechostatement above :-)
– nohillside♦
Jun 2 at 8:29
add a comment
|
At the moment I'm working on a solution to prevent all admins users (except one particular) from running sudo. I can add a specific user to sudoers by running:
sudo -i
echo '$username ALL=(ALL:ALL) ALL' >> /etc/sudoers
Then I'd like to remove %admin ALL = (ALL) ALL within sudoers file which would just leave the above admin as the only sudo admin. However I cannot seem to find a way on how to remove/replace a particular string within sudoers.
I'd like to make this into a script hence using visudo and manually adjusting won't work for me. If there a way to run visudo from script and adjust a particular line within sudoers that would be ideal, but I couldn't find anything when researching on the Web.
I've seen a solution here:
- https://www.ibm.com/developerworks/community/blogs/brian/entry/edit_sudoers_file_from_a_script4?lang=en
which works in Linux. Is it possible to make it work in macOS?
macos command-line bash sudo
At the moment I'm working on a solution to prevent all admins users (except one particular) from running sudo. I can add a specific user to sudoers by running:
sudo -i
echo '$username ALL=(ALL:ALL) ALL' >> /etc/sudoers
Then I'd like to remove %admin ALL = (ALL) ALL within sudoers file which would just leave the above admin as the only sudo admin. However I cannot seem to find a way on how to remove/replace a particular string within sudoers.
I'd like to make this into a script hence using visudo and manually adjusting won't work for me. If there a way to run visudo from script and adjust a particular line within sudoers that would be ideal, but I couldn't find anything when researching on the Web.
I've seen a solution here:
- https://www.ibm.com/developerworks/community/blogs/brian/entry/edit_sudoers_file_from_a_script4?lang=en
which works in Linux. Is it possible to make it work in macOS?
macos command-line bash sudo
macos command-line bash sudo
edited Jun 2 at 8:44
nohillside♦
57.8k15 gold badges124 silver badges170 bronze badges
57.8k15 gold badges124 silver badges170 bronze badges
asked Jun 2 at 8:19
merkeesoxmerkeesox
364 bronze badges
364 bronze badges
At first glance the solution on the linked page should also work in macOS. Can you add some details on where/how exactly it fails? Also, as this is basically a "how do I delete a specific line from a text file with a script" type of question, what other kind of research have you already done
– nohillside♦
Jun 2 at 8:27
PS: I won't go on to list the various ways how any admin user not part ofsudoerscan easily get theirsudorights back...
– nohillside♦
Jun 2 at 8:28
PPS: But you may want to use double quotes instead of single quotes in yourechostatement above :-)
– nohillside♦
Jun 2 at 8:29
add a comment
|
At first glance the solution on the linked page should also work in macOS. Can you add some details on where/how exactly it fails? Also, as this is basically a "how do I delete a specific line from a text file with a script" type of question, what other kind of research have you already done
– nohillside♦
Jun 2 at 8:27
PS: I won't go on to list the various ways how any admin user not part ofsudoerscan easily get theirsudorights back...
– nohillside♦
Jun 2 at 8:28
PPS: But you may want to use double quotes instead of single quotes in yourechostatement above :-)
– nohillside♦
Jun 2 at 8:29
At first glance the solution on the linked page should also work in macOS. Can you add some details on where/how exactly it fails? Also, as this is basically a "how do I delete a specific line from a text file with a script" type of question, what other kind of research have you already done
– nohillside♦
Jun 2 at 8:27
At first glance the solution on the linked page should also work in macOS. Can you add some details on where/how exactly it fails? Also, as this is basically a "how do I delete a specific line from a text file with a script" type of question, what other kind of research have you already done
– nohillside♦
Jun 2 at 8:27
PS: I won't go on to list the various ways how any admin user not part of
sudoers can easily get their sudo rights back...– nohillside♦
Jun 2 at 8:28
PS: I won't go on to list the various ways how any admin user not part of
sudoers can easily get their sudo rights back...– nohillside♦
Jun 2 at 8:28
PPS: But you may want to use double quotes instead of single quotes in your
echo statement above :-)– nohillside♦
Jun 2 at 8:29
PPS: But you may want to use double quotes instead of single quotes in your
echo statement above :-)– nohillside♦
Jun 2 at 8:29
add a comment
|
3 Answers
3
active
oldest
votes
Here's an alternate method. Lines are not added or deleted from the sudoers file. The line giving admin root rights is commented out and we create a separate file with mac_admin's rights in the directory /etc/sudoers.d. And as a bonus, the original sudoers file is backed up.
printf '%sn' 'mac_admin ALL=(ALL:ALL) ALL' > /tmp/99-macadmin
visudo -c -f /tmp/99-macadmin &&
install -o 0 -g 0 -m 440 /tmp/99-macadmin /etc/sudoers.d
sed $'s/%admint/# %admin/' /etc/sudoers > /tmp/sudoers
visudo -c -f /tmp/sudoers &&
install -B .orig -b -o 0 -g 0 -m 440 /tmp/sudoers /etc/sudoers
rm /tmp/sudoers /tmp/99-macadmin
Impressive! I was not aware that's an option as my bash skills are incredibly lacking. I'll test this and let you know if it works - very interested to implement this solution as it sounds much safer than editing the actual sudoers like you said. Many thanks for your time!
– merkeesox
Jun 2 at 16:10
That worked as you described - I was just thinking however, what would a script look like to reverse this change. Would it include renaming the edited script to .orig and .orig to default? Apologies as I am just doing my best learning bash, however there might be a time when there might be a need to revert to original without doing a file any direct intervention and using Jamf Pro policy instead. I would imagine a policy for applying this change with the script you have so kindly written and a reversal policy which would could be scoped to appropriate machines and undo changes.
– merkeesox
Jun 2 at 19:28
1
I've just realised I can just delete the edited script and rename the .orig back to default instead, sorry! That was silly of me.
– merkeesox
Jun 2 at 19:51
add a comment
|
For what it's worth, you can use
printf '/^%%admin ALL = (ALL) ALL$/dnwnqn' | ed -s sudoers
or, if you want to catch the line independent of the number of space characters, tabs etc used
printf '/^%%admin[[:blank:]]*ALL[[:blank:]]*=[[:blank:]]*(ALL)[[:blank:]]*ALL$/dnwnqn' | ed sudoers
in bash to remove the admin line (the double %% are required to prevent printf from interpreting them as formatting instructions).
The usual caveats about editing sudoers without relying on the syntax checks done by visudo apply. So it might be safer to run the following, or at least have another root shell running so you can fix any issues without getting locked out)
cp /etc/sudoers /tmp
chmod +w /tmp/sudoers
printf '/^%%admin[[:blank:]]*ALL[[:blank:]]*=[[:blank:]]*(ALL)[[:blank:]]*ALL$/dnwnqn'
| ed /tmp/sudoers
if visudo -c -f /tmp/sudoers; then
echo "All well"
mv -f /tmp/sudoers /etc/sudoers
chmod -w /etc/sudoers
else
echo "Uups, something went wrong"
fi
(Script untested, because I don't want to mess with my sudoers file)
I've tested the above script and it may indeed work with some adjustment as the echo returns "All well" however, I believe it isn't removing that particular line still as I've checked sudoers file and %admin is still present. The return code isRunning script Test - edit sudoers... Script exit code: 0 Script result: 2111 ? /tmp/sudoers: parsed OK All well
– merkeesox
Jun 2 at 9:29
@merkeesox Please add your sudoers file to the question then, so it‘s easier to verify what is going wrong.
– nohillside♦
Jun 2 at 10:01
1
@merkeesox Try again. BUT: currently no additional users besidesrootare enabled for sudo, so make sure you don’t lock yourself out!
– nohillside♦
Jun 2 at 10:50
That's okay, I've got the root account enabled and when I log in I can edit it back to its original values without affecting ownership and permissions of sudoers file. I'll try that now.
– merkeesox
Jun 2 at 10:54
add a comment
|
Amazing! It worked! Thank you very much! @nohillside
I'll add a line above that to add a user mac_admin before the script executes so the final version should look like this.
echo 'mac_admin ALL=(ALL:ALL) ALL' >> /etc/sudoers
cp /etc/sudoers /tmp
chmod +w /tmp/sudoers
printf '/^%%admin.*ALL = (ALL) ALL$/dnwnqn' | ed /tmp/sudoers
if visudo -c -f /tmp/sudoers; then
echo "All well"
mv -f /tmp/sudoers /etc/sudoers
chmod -w /etc/sudoers
else
echo "Uups, something went wrong"
fi
Just FYI I am running this script by scoping it to my machine on Jamf Pro so it excecutes via a recurring check-in policy.
add a comment
|
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
Here's an alternate method. Lines are not added or deleted from the sudoers file. The line giving admin root rights is commented out and we create a separate file with mac_admin's rights in the directory /etc/sudoers.d. And as a bonus, the original sudoers file is backed up.
printf '%sn' 'mac_admin ALL=(ALL:ALL) ALL' > /tmp/99-macadmin
visudo -c -f /tmp/99-macadmin &&
install -o 0 -g 0 -m 440 /tmp/99-macadmin /etc/sudoers.d
sed $'s/%admint/# %admin/' /etc/sudoers > /tmp/sudoers
visudo -c -f /tmp/sudoers &&
install -B .orig -b -o 0 -g 0 -m 440 /tmp/sudoers /etc/sudoers
rm /tmp/sudoers /tmp/99-macadmin
Impressive! I was not aware that's an option as my bash skills are incredibly lacking. I'll test this and let you know if it works - very interested to implement this solution as it sounds much safer than editing the actual sudoers like you said. Many thanks for your time!
– merkeesox
Jun 2 at 16:10
That worked as you described - I was just thinking however, what would a script look like to reverse this change. Would it include renaming the edited script to .orig and .orig to default? Apologies as I am just doing my best learning bash, however there might be a time when there might be a need to revert to original without doing a file any direct intervention and using Jamf Pro policy instead. I would imagine a policy for applying this change with the script you have so kindly written and a reversal policy which would could be scoped to appropriate machines and undo changes.
– merkeesox
Jun 2 at 19:28
1
I've just realised I can just delete the edited script and rename the .orig back to default instead, sorry! That was silly of me.
– merkeesox
Jun 2 at 19:51
add a comment
|
Here's an alternate method. Lines are not added or deleted from the sudoers file. The line giving admin root rights is commented out and we create a separate file with mac_admin's rights in the directory /etc/sudoers.d. And as a bonus, the original sudoers file is backed up.
printf '%sn' 'mac_admin ALL=(ALL:ALL) ALL' > /tmp/99-macadmin
visudo -c -f /tmp/99-macadmin &&
install -o 0 -g 0 -m 440 /tmp/99-macadmin /etc/sudoers.d
sed $'s/%admint/# %admin/' /etc/sudoers > /tmp/sudoers
visudo -c -f /tmp/sudoers &&
install -B .orig -b -o 0 -g 0 -m 440 /tmp/sudoers /etc/sudoers
rm /tmp/sudoers /tmp/99-macadmin
Impressive! I was not aware that's an option as my bash skills are incredibly lacking. I'll test this and let you know if it works - very interested to implement this solution as it sounds much safer than editing the actual sudoers like you said. Many thanks for your time!
– merkeesox
Jun 2 at 16:10
That worked as you described - I was just thinking however, what would a script look like to reverse this change. Would it include renaming the edited script to .orig and .orig to default? Apologies as I am just doing my best learning bash, however there might be a time when there might be a need to revert to original without doing a file any direct intervention and using Jamf Pro policy instead. I would imagine a policy for applying this change with the script you have so kindly written and a reversal policy which would could be scoped to appropriate machines and undo changes.
– merkeesox
Jun 2 at 19:28
1
I've just realised I can just delete the edited script and rename the .orig back to default instead, sorry! That was silly of me.
– merkeesox
Jun 2 at 19:51
add a comment
|
Here's an alternate method. Lines are not added or deleted from the sudoers file. The line giving admin root rights is commented out and we create a separate file with mac_admin's rights in the directory /etc/sudoers.d. And as a bonus, the original sudoers file is backed up.
printf '%sn' 'mac_admin ALL=(ALL:ALL) ALL' > /tmp/99-macadmin
visudo -c -f /tmp/99-macadmin &&
install -o 0 -g 0 -m 440 /tmp/99-macadmin /etc/sudoers.d
sed $'s/%admint/# %admin/' /etc/sudoers > /tmp/sudoers
visudo -c -f /tmp/sudoers &&
install -B .orig -b -o 0 -g 0 -m 440 /tmp/sudoers /etc/sudoers
rm /tmp/sudoers /tmp/99-macadmin
Here's an alternate method. Lines are not added or deleted from the sudoers file. The line giving admin root rights is commented out and we create a separate file with mac_admin's rights in the directory /etc/sudoers.d. And as a bonus, the original sudoers file is backed up.
printf '%sn' 'mac_admin ALL=(ALL:ALL) ALL' > /tmp/99-macadmin
visudo -c -f /tmp/99-macadmin &&
install -o 0 -g 0 -m 440 /tmp/99-macadmin /etc/sudoers.d
sed $'s/%admint/# %admin/' /etc/sudoers > /tmp/sudoers
visudo -c -f /tmp/sudoers &&
install -B .orig -b -o 0 -g 0 -m 440 /tmp/sudoers /etc/sudoers
rm /tmp/sudoers /tmp/99-macadmin
answered Jun 2 at 14:44
fd0fd0
7,1521 gold badge16 silver badges32 bronze badges
7,1521 gold badge16 silver badges32 bronze badges
Impressive! I was not aware that's an option as my bash skills are incredibly lacking. I'll test this and let you know if it works - very interested to implement this solution as it sounds much safer than editing the actual sudoers like you said. Many thanks for your time!
– merkeesox
Jun 2 at 16:10
That worked as you described - I was just thinking however, what would a script look like to reverse this change. Would it include renaming the edited script to .orig and .orig to default? Apologies as I am just doing my best learning bash, however there might be a time when there might be a need to revert to original without doing a file any direct intervention and using Jamf Pro policy instead. I would imagine a policy for applying this change with the script you have so kindly written and a reversal policy which would could be scoped to appropriate machines and undo changes.
– merkeesox
Jun 2 at 19:28
1
I've just realised I can just delete the edited script and rename the .orig back to default instead, sorry! That was silly of me.
– merkeesox
Jun 2 at 19:51
add a comment
|
Impressive! I was not aware that's an option as my bash skills are incredibly lacking. I'll test this and let you know if it works - very interested to implement this solution as it sounds much safer than editing the actual sudoers like you said. Many thanks for your time!
– merkeesox
Jun 2 at 16:10
That worked as you described - I was just thinking however, what would a script look like to reverse this change. Would it include renaming the edited script to .orig and .orig to default? Apologies as I am just doing my best learning bash, however there might be a time when there might be a need to revert to original without doing a file any direct intervention and using Jamf Pro policy instead. I would imagine a policy for applying this change with the script you have so kindly written and a reversal policy which would could be scoped to appropriate machines and undo changes.
– merkeesox
Jun 2 at 19:28
1
I've just realised I can just delete the edited script and rename the .orig back to default instead, sorry! That was silly of me.
– merkeesox
Jun 2 at 19:51
Impressive! I was not aware that's an option as my bash skills are incredibly lacking. I'll test this and let you know if it works - very interested to implement this solution as it sounds much safer than editing the actual sudoers like you said. Many thanks for your time!
– merkeesox
Jun 2 at 16:10
Impressive! I was not aware that's an option as my bash skills are incredibly lacking. I'll test this and let you know if it works - very interested to implement this solution as it sounds much safer than editing the actual sudoers like you said. Many thanks for your time!
– merkeesox
Jun 2 at 16:10
That worked as you described - I was just thinking however, what would a script look like to reverse this change. Would it include renaming the edited script to .orig and .orig to default? Apologies as I am just doing my best learning bash, however there might be a time when there might be a need to revert to original without doing a file any direct intervention and using Jamf Pro policy instead. I would imagine a policy for applying this change with the script you have so kindly written and a reversal policy which would could be scoped to appropriate machines and undo changes.
– merkeesox
Jun 2 at 19:28
That worked as you described - I was just thinking however, what would a script look like to reverse this change. Would it include renaming the edited script to .orig and .orig to default? Apologies as I am just doing my best learning bash, however there might be a time when there might be a need to revert to original without doing a file any direct intervention and using Jamf Pro policy instead. I would imagine a policy for applying this change with the script you have so kindly written and a reversal policy which would could be scoped to appropriate machines and undo changes.
– merkeesox
Jun 2 at 19:28
1
1
I've just realised I can just delete the edited script and rename the .orig back to default instead, sorry! That was silly of me.
– merkeesox
Jun 2 at 19:51
I've just realised I can just delete the edited script and rename the .orig back to default instead, sorry! That was silly of me.
– merkeesox
Jun 2 at 19:51
add a comment
|
For what it's worth, you can use
printf '/^%%admin ALL = (ALL) ALL$/dnwnqn' | ed -s sudoers
or, if you want to catch the line independent of the number of space characters, tabs etc used
printf '/^%%admin[[:blank:]]*ALL[[:blank:]]*=[[:blank:]]*(ALL)[[:blank:]]*ALL$/dnwnqn' | ed sudoers
in bash to remove the admin line (the double %% are required to prevent printf from interpreting them as formatting instructions).
The usual caveats about editing sudoers without relying on the syntax checks done by visudo apply. So it might be safer to run the following, or at least have another root shell running so you can fix any issues without getting locked out)
cp /etc/sudoers /tmp
chmod +w /tmp/sudoers
printf '/^%%admin[[:blank:]]*ALL[[:blank:]]*=[[:blank:]]*(ALL)[[:blank:]]*ALL$/dnwnqn'
| ed /tmp/sudoers
if visudo -c -f /tmp/sudoers; then
echo "All well"
mv -f /tmp/sudoers /etc/sudoers
chmod -w /etc/sudoers
else
echo "Uups, something went wrong"
fi
(Script untested, because I don't want to mess with my sudoers file)
I've tested the above script and it may indeed work with some adjustment as the echo returns "All well" however, I believe it isn't removing that particular line still as I've checked sudoers file and %admin is still present. The return code isRunning script Test - edit sudoers... Script exit code: 0 Script result: 2111 ? /tmp/sudoers: parsed OK All well
– merkeesox
Jun 2 at 9:29
@merkeesox Please add your sudoers file to the question then, so it‘s easier to verify what is going wrong.
– nohillside♦
Jun 2 at 10:01
1
@merkeesox Try again. BUT: currently no additional users besidesrootare enabled for sudo, so make sure you don’t lock yourself out!
– nohillside♦
Jun 2 at 10:50
That's okay, I've got the root account enabled and when I log in I can edit it back to its original values without affecting ownership and permissions of sudoers file. I'll try that now.
– merkeesox
Jun 2 at 10:54
add a comment
|
For what it's worth, you can use
printf '/^%%admin ALL = (ALL) ALL$/dnwnqn' | ed -s sudoers
or, if you want to catch the line independent of the number of space characters, tabs etc used
printf '/^%%admin[[:blank:]]*ALL[[:blank:]]*=[[:blank:]]*(ALL)[[:blank:]]*ALL$/dnwnqn' | ed sudoers
in bash to remove the admin line (the double %% are required to prevent printf from interpreting them as formatting instructions).
The usual caveats about editing sudoers without relying on the syntax checks done by visudo apply. So it might be safer to run the following, or at least have another root shell running so you can fix any issues without getting locked out)
cp /etc/sudoers /tmp
chmod +w /tmp/sudoers
printf '/^%%admin[[:blank:]]*ALL[[:blank:]]*=[[:blank:]]*(ALL)[[:blank:]]*ALL$/dnwnqn'
| ed /tmp/sudoers
if visudo -c -f /tmp/sudoers; then
echo "All well"
mv -f /tmp/sudoers /etc/sudoers
chmod -w /etc/sudoers
else
echo "Uups, something went wrong"
fi
(Script untested, because I don't want to mess with my sudoers file)
I've tested the above script and it may indeed work with some adjustment as the echo returns "All well" however, I believe it isn't removing that particular line still as I've checked sudoers file and %admin is still present. The return code isRunning script Test - edit sudoers... Script exit code: 0 Script result: 2111 ? /tmp/sudoers: parsed OK All well
– merkeesox
Jun 2 at 9:29
@merkeesox Please add your sudoers file to the question then, so it‘s easier to verify what is going wrong.
– nohillside♦
Jun 2 at 10:01
1
@merkeesox Try again. BUT: currently no additional users besidesrootare enabled for sudo, so make sure you don’t lock yourself out!
– nohillside♦
Jun 2 at 10:50
That's okay, I've got the root account enabled and when I log in I can edit it back to its original values without affecting ownership and permissions of sudoers file. I'll try that now.
– merkeesox
Jun 2 at 10:54
add a comment
|
For what it's worth, you can use
printf '/^%%admin ALL = (ALL) ALL$/dnwnqn' | ed -s sudoers
or, if you want to catch the line independent of the number of space characters, tabs etc used
printf '/^%%admin[[:blank:]]*ALL[[:blank:]]*=[[:blank:]]*(ALL)[[:blank:]]*ALL$/dnwnqn' | ed sudoers
in bash to remove the admin line (the double %% are required to prevent printf from interpreting them as formatting instructions).
The usual caveats about editing sudoers without relying on the syntax checks done by visudo apply. So it might be safer to run the following, or at least have another root shell running so you can fix any issues without getting locked out)
cp /etc/sudoers /tmp
chmod +w /tmp/sudoers
printf '/^%%admin[[:blank:]]*ALL[[:blank:]]*=[[:blank:]]*(ALL)[[:blank:]]*ALL$/dnwnqn'
| ed /tmp/sudoers
if visudo -c -f /tmp/sudoers; then
echo "All well"
mv -f /tmp/sudoers /etc/sudoers
chmod -w /etc/sudoers
else
echo "Uups, something went wrong"
fi
(Script untested, because I don't want to mess with my sudoers file)
For what it's worth, you can use
printf '/^%%admin ALL = (ALL) ALL$/dnwnqn' | ed -s sudoers
or, if you want to catch the line independent of the number of space characters, tabs etc used
printf '/^%%admin[[:blank:]]*ALL[[:blank:]]*=[[:blank:]]*(ALL)[[:blank:]]*ALL$/dnwnqn' | ed sudoers
in bash to remove the admin line (the double %% are required to prevent printf from interpreting them as formatting instructions).
The usual caveats about editing sudoers without relying on the syntax checks done by visudo apply. So it might be safer to run the following, or at least have another root shell running so you can fix any issues without getting locked out)
cp /etc/sudoers /tmp
chmod +w /tmp/sudoers
printf '/^%%admin[[:blank:]]*ALL[[:blank:]]*=[[:blank:]]*(ALL)[[:blank:]]*ALL$/dnwnqn'
| ed /tmp/sudoers
if visudo -c -f /tmp/sudoers; then
echo "All well"
mv -f /tmp/sudoers /etc/sudoers
chmod -w /etc/sudoers
else
echo "Uups, something went wrong"
fi
(Script untested, because I don't want to mess with my sudoers file)
edited Jun 2 at 12:22
answered Jun 2 at 8:44
nohillside♦nohillside
57.8k15 gold badges124 silver badges170 bronze badges
57.8k15 gold badges124 silver badges170 bronze badges
I've tested the above script and it may indeed work with some adjustment as the echo returns "All well" however, I believe it isn't removing that particular line still as I've checked sudoers file and %admin is still present. The return code isRunning script Test - edit sudoers... Script exit code: 0 Script result: 2111 ? /tmp/sudoers: parsed OK All well
– merkeesox
Jun 2 at 9:29
@merkeesox Please add your sudoers file to the question then, so it‘s easier to verify what is going wrong.
– nohillside♦
Jun 2 at 10:01
1
@merkeesox Try again. BUT: currently no additional users besidesrootare enabled for sudo, so make sure you don’t lock yourself out!
– nohillside♦
Jun 2 at 10:50
That's okay, I've got the root account enabled and when I log in I can edit it back to its original values without affecting ownership and permissions of sudoers file. I'll try that now.
– merkeesox
Jun 2 at 10:54
add a comment
|
I've tested the above script and it may indeed work with some adjustment as the echo returns "All well" however, I believe it isn't removing that particular line still as I've checked sudoers file and %admin is still present. The return code isRunning script Test - edit sudoers... Script exit code: 0 Script result: 2111 ? /tmp/sudoers: parsed OK All well
– merkeesox
Jun 2 at 9:29
@merkeesox Please add your sudoers file to the question then, so it‘s easier to verify what is going wrong.
– nohillside♦
Jun 2 at 10:01
1
@merkeesox Try again. BUT: currently no additional users besidesrootare enabled for sudo, so make sure you don’t lock yourself out!
– nohillside♦
Jun 2 at 10:50
That's okay, I've got the root account enabled and when I log in I can edit it back to its original values without affecting ownership and permissions of sudoers file. I'll try that now.
– merkeesox
Jun 2 at 10:54
I've tested the above script and it may indeed work with some adjustment as the echo returns "All well" however, I believe it isn't removing that particular line still as I've checked sudoers file and %admin is still present. The return code is
Running script Test - edit sudoers... Script exit code: 0 Script result: 2111 ? /tmp/sudoers: parsed OK All well– merkeesox
Jun 2 at 9:29
I've tested the above script and it may indeed work with some adjustment as the echo returns "All well" however, I believe it isn't removing that particular line still as I've checked sudoers file and %admin is still present. The return code is
Running script Test - edit sudoers... Script exit code: 0 Script result: 2111 ? /tmp/sudoers: parsed OK All well– merkeesox
Jun 2 at 9:29
@merkeesox Please add your sudoers file to the question then, so it‘s easier to verify what is going wrong.
– nohillside♦
Jun 2 at 10:01
@merkeesox Please add your sudoers file to the question then, so it‘s easier to verify what is going wrong.
– nohillside♦
Jun 2 at 10:01
1
1
@merkeesox Try again. BUT: currently no additional users besides
root are enabled for sudo, so make sure you don’t lock yourself out!– nohillside♦
Jun 2 at 10:50
@merkeesox Try again. BUT: currently no additional users besides
root are enabled for sudo, so make sure you don’t lock yourself out!– nohillside♦
Jun 2 at 10:50
That's okay, I've got the root account enabled and when I log in I can edit it back to its original values without affecting ownership and permissions of sudoers file. I'll try that now.
– merkeesox
Jun 2 at 10:54
That's okay, I've got the root account enabled and when I log in I can edit it back to its original values without affecting ownership and permissions of sudoers file. I'll try that now.
– merkeesox
Jun 2 at 10:54
add a comment
|
Amazing! It worked! Thank you very much! @nohillside
I'll add a line above that to add a user mac_admin before the script executes so the final version should look like this.
echo 'mac_admin ALL=(ALL:ALL) ALL' >> /etc/sudoers
cp /etc/sudoers /tmp
chmod +w /tmp/sudoers
printf '/^%%admin.*ALL = (ALL) ALL$/dnwnqn' | ed /tmp/sudoers
if visudo -c -f /tmp/sudoers; then
echo "All well"
mv -f /tmp/sudoers /etc/sudoers
chmod -w /etc/sudoers
else
echo "Uups, something went wrong"
fi
Just FYI I am running this script by scoping it to my machine on Jamf Pro so it excecutes via a recurring check-in policy.
add a comment
|
Amazing! It worked! Thank you very much! @nohillside
I'll add a line above that to add a user mac_admin before the script executes so the final version should look like this.
echo 'mac_admin ALL=(ALL:ALL) ALL' >> /etc/sudoers
cp /etc/sudoers /tmp
chmod +w /tmp/sudoers
printf '/^%%admin.*ALL = (ALL) ALL$/dnwnqn' | ed /tmp/sudoers
if visudo -c -f /tmp/sudoers; then
echo "All well"
mv -f /tmp/sudoers /etc/sudoers
chmod -w /etc/sudoers
else
echo "Uups, something went wrong"
fi
Just FYI I am running this script by scoping it to my machine on Jamf Pro so it excecutes via a recurring check-in policy.
add a comment
|
Amazing! It worked! Thank you very much! @nohillside
I'll add a line above that to add a user mac_admin before the script executes so the final version should look like this.
echo 'mac_admin ALL=(ALL:ALL) ALL' >> /etc/sudoers
cp /etc/sudoers /tmp
chmod +w /tmp/sudoers
printf '/^%%admin.*ALL = (ALL) ALL$/dnwnqn' | ed /tmp/sudoers
if visudo -c -f /tmp/sudoers; then
echo "All well"
mv -f /tmp/sudoers /etc/sudoers
chmod -w /etc/sudoers
else
echo "Uups, something went wrong"
fi
Just FYI I am running this script by scoping it to my machine on Jamf Pro so it excecutes via a recurring check-in policy.
Amazing! It worked! Thank you very much! @nohillside
I'll add a line above that to add a user mac_admin before the script executes so the final version should look like this.
echo 'mac_admin ALL=(ALL:ALL) ALL' >> /etc/sudoers
cp /etc/sudoers /tmp
chmod +w /tmp/sudoers
printf '/^%%admin.*ALL = (ALL) ALL$/dnwnqn' | ed /tmp/sudoers
if visudo -c -f /tmp/sudoers; then
echo "All well"
mv -f /tmp/sudoers /etc/sudoers
chmod -w /etc/sudoers
else
echo "Uups, something went wrong"
fi
Just FYI I am running this script by scoping it to my machine on Jamf Pro so it excecutes via a recurring check-in policy.
answered Jun 2 at 11:32
merkeesoxmerkeesox
364 bronze badges
364 bronze badges
add a comment
|
add a comment
|
At first glance the solution on the linked page should also work in macOS. Can you add some details on where/how exactly it fails? Also, as this is basically a "how do I delete a specific line from a text file with a script" type of question, what other kind of research have you already done
– nohillside♦
Jun 2 at 8:27
PS: I won't go on to list the various ways how any admin user not part of
sudoerscan easily get theirsudorights back...– nohillside♦
Jun 2 at 8:28
PPS: But you may want to use double quotes instead of single quotes in your
echostatement above :-)– nohillside♦
Jun 2 at 8:29