Remove sudoers using scriptBash shell script to locate and remove substring within a filenameUsing visudo to edit sudoers on MacI added my username to /etc/sudoers but using sudo still asks for passwordHow to solve “User is not in sudoers file, incident reported”Sudoers file plistAdded myself to /etc/sudoers but sudo still asks for passwordFixing /etc/sudoers fileIs there a security concern when adding a user to sudoers?Connect and run commands over SSH using script

ignoring potentiometer value variations

What happens to a Bladesinger reincarnated as a Human?

How are synthesizers used in music production?

Continents with simplex noise

Is "I can eat a glass" a good translation of "私はガラスを食べられます"?

Does the FIDE 75-move rule apply after checkmate or resignation?

What color should I use for the walls and ceiling of a photography studio?

I am having some trouble understanding the beginning of a story

What is more proper notation in piano sheet music to denote that the left hand should be louder?

Tikz: Impulse response vs. pole location

Regarding asking for writing about some courses in my CV in which I got bad grades due to my non interest in those courses

How does AT-AT deploy troops?

Hell0 W0rld! scored by ASCII values

How do Precipitation Reactions behave in the Absence of Gravity?

Will there be a vote in the Commons to decide the fate of Johnson's deal?

How does an aircraft descend without its nose pointing down?

Command which removes data left side of ";" (semicolon) on each row

How did the T-850 still function after it removed its second battery?

Where do overtones in a 555 generated square wave come from?

Meaning of "in arms"

Can tankless & conventional water heaters join forces?

Tikz: Arranging of a Table with Tikz elements

What is the difference between an adjective and a noun modifier?

What game(s) does Michael play in Mind Field S2E4?



Remove sudoers using script


Bash shell script to locate and remove substring within a filenameUsing visudo to edit sudoers on MacI added my username to /etc/sudoers but using sudo still asks for passwordHow to solve “User is not in sudoers file, incident reported”Sudoers file plistAdded myself to /etc/sudoers but sudo still asks for passwordFixing /etc/sudoers fileIs there a security concern when adding a user to sudoers?Connect and run commands over SSH using script






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty
margin-bottom:0;









3

















At the moment I'm working on a solution to prevent all admins users (except one particular) from running sudo. I can add a specific user to sudoers by running:



sudo -i
echo '$username ALL=(ALL:ALL) ALL' >> /etc/sudoers


Then I'd like to remove %admin ALL = (ALL) ALL within sudoers file which would just leave the above admin as the only sudo admin. However I cannot seem to find a way on how to remove/replace a particular string within sudoers.



I'd like to make this into a script hence using visudo and manually adjusting won't work for me. If there a way to run visudo from script and adjust a particular line within sudoers that would be ideal, but I couldn't find anything when researching on the Web.



I've seen a solution here:



  • https://www.ibm.com/developerworks/community/blogs/brian/entry/edit_sudoers_file_from_a_script4?lang=en

which works in Linux. Is it possible to make it work in macOS?










share|improve this question




























  • At first glance the solution on the linked page should also work in macOS. Can you add some details on where/how exactly it fails? Also, as this is basically a "how do I delete a specific line from a text file with a script" type of question, what other kind of research have you already done

    – nohillside
    Jun 2 at 8:27











  • PS: I won't go on to list the various ways how any admin user not part of sudoers can easily get their sudo rights back...

    – nohillside
    Jun 2 at 8:28











  • PPS: But you may want to use double quotes instead of single quotes in your echo statement above :-)

    – nohillside
    Jun 2 at 8:29

















3

















At the moment I'm working on a solution to prevent all admins users (except one particular) from running sudo. I can add a specific user to sudoers by running:



sudo -i
echo '$username ALL=(ALL:ALL) ALL' >> /etc/sudoers


Then I'd like to remove %admin ALL = (ALL) ALL within sudoers file which would just leave the above admin as the only sudo admin. However I cannot seem to find a way on how to remove/replace a particular string within sudoers.



I'd like to make this into a script hence using visudo and manually adjusting won't work for me. If there a way to run visudo from script and adjust a particular line within sudoers that would be ideal, but I couldn't find anything when researching on the Web.



I've seen a solution here:



  • https://www.ibm.com/developerworks/community/blogs/brian/entry/edit_sudoers_file_from_a_script4?lang=en

which works in Linux. Is it possible to make it work in macOS?










share|improve this question




























  • At first glance the solution on the linked page should also work in macOS. Can you add some details on where/how exactly it fails? Also, as this is basically a "how do I delete a specific line from a text file with a script" type of question, what other kind of research have you already done

    – nohillside
    Jun 2 at 8:27











  • PS: I won't go on to list the various ways how any admin user not part of sudoers can easily get their sudo rights back...

    – nohillside
    Jun 2 at 8:28











  • PPS: But you may want to use double quotes instead of single quotes in your echo statement above :-)

    – nohillside
    Jun 2 at 8:29













3












3








3


1






At the moment I'm working on a solution to prevent all admins users (except one particular) from running sudo. I can add a specific user to sudoers by running:



sudo -i
echo '$username ALL=(ALL:ALL) ALL' >> /etc/sudoers


Then I'd like to remove %admin ALL = (ALL) ALL within sudoers file which would just leave the above admin as the only sudo admin. However I cannot seem to find a way on how to remove/replace a particular string within sudoers.



I'd like to make this into a script hence using visudo and manually adjusting won't work for me. If there a way to run visudo from script and adjust a particular line within sudoers that would be ideal, but I couldn't find anything when researching on the Web.



I've seen a solution here:



  • https://www.ibm.com/developerworks/community/blogs/brian/entry/edit_sudoers_file_from_a_script4?lang=en

which works in Linux. Is it possible to make it work in macOS?










share|improve this question

















At the moment I'm working on a solution to prevent all admins users (except one particular) from running sudo. I can add a specific user to sudoers by running:



sudo -i
echo '$username ALL=(ALL:ALL) ALL' >> /etc/sudoers


Then I'd like to remove %admin ALL = (ALL) ALL within sudoers file which would just leave the above admin as the only sudo admin. However I cannot seem to find a way on how to remove/replace a particular string within sudoers.



I'd like to make this into a script hence using visudo and manually adjusting won't work for me. If there a way to run visudo from script and adjust a particular line within sudoers that would be ideal, but I couldn't find anything when researching on the Web.



I've seen a solution here:



  • https://www.ibm.com/developerworks/community/blogs/brian/entry/edit_sudoers_file_from_a_script4?lang=en

which works in Linux. Is it possible to make it work in macOS?







macos command-line bash sudo






share|improve this question
















share|improve this question













share|improve this question




share|improve this question








edited Jun 2 at 8:44









nohillside

57.8k15 gold badges124 silver badges170 bronze badges




57.8k15 gold badges124 silver badges170 bronze badges










asked Jun 2 at 8:19









merkeesoxmerkeesox

364 bronze badges




364 bronze badges















  • At first glance the solution on the linked page should also work in macOS. Can you add some details on where/how exactly it fails? Also, as this is basically a "how do I delete a specific line from a text file with a script" type of question, what other kind of research have you already done

    – nohillside
    Jun 2 at 8:27











  • PS: I won't go on to list the various ways how any admin user not part of sudoers can easily get their sudo rights back...

    – nohillside
    Jun 2 at 8:28











  • PPS: But you may want to use double quotes instead of single quotes in your echo statement above :-)

    – nohillside
    Jun 2 at 8:29

















  • At first glance the solution on the linked page should also work in macOS. Can you add some details on where/how exactly it fails? Also, as this is basically a "how do I delete a specific line from a text file with a script" type of question, what other kind of research have you already done

    – nohillside
    Jun 2 at 8:27











  • PS: I won't go on to list the various ways how any admin user not part of sudoers can easily get their sudo rights back...

    – nohillside
    Jun 2 at 8:28











  • PPS: But you may want to use double quotes instead of single quotes in your echo statement above :-)

    – nohillside
    Jun 2 at 8:29
















At first glance the solution on the linked page should also work in macOS. Can you add some details on where/how exactly it fails? Also, as this is basically a "how do I delete a specific line from a text file with a script" type of question, what other kind of research have you already done

– nohillside
Jun 2 at 8:27





At first glance the solution on the linked page should also work in macOS. Can you add some details on where/how exactly it fails? Also, as this is basically a "how do I delete a specific line from a text file with a script" type of question, what other kind of research have you already done

– nohillside
Jun 2 at 8:27













PS: I won't go on to list the various ways how any admin user not part of sudoers can easily get their sudo rights back...

– nohillside
Jun 2 at 8:28





PS: I won't go on to list the various ways how any admin user not part of sudoers can easily get their sudo rights back...

– nohillside
Jun 2 at 8:28













PPS: But you may want to use double quotes instead of single quotes in your echo statement above :-)

– nohillside
Jun 2 at 8:29





PPS: But you may want to use double quotes instead of single quotes in your echo statement above :-)

– nohillside
Jun 2 at 8:29










3 Answers
3






active

oldest

votes


















2


















Here's an alternate method. Lines are not added or deleted from the sudoers file. The line giving admin root rights is commented out and we create a separate file with mac_admin's rights in the directory /etc/sudoers.d. And as a bonus, the original sudoers file is backed up.



printf '%sn' 'mac_admin ALL=(ALL:ALL) ALL' > /tmp/99-macadmin

visudo -c -f /tmp/99-macadmin &&
install -o 0 -g 0 -m 440 /tmp/99-macadmin /etc/sudoers.d

sed $'s/%admint/# %admin/' /etc/sudoers > /tmp/sudoers

visudo -c -f /tmp/sudoers &&
install -B .orig -b -o 0 -g 0 -m 440 /tmp/sudoers /etc/sudoers

rm /tmp/sudoers /tmp/99-macadmin





share|improve this answer


























  • Impressive! I was not aware that's an option as my bash skills are incredibly lacking. I'll test this and let you know if it works - very interested to implement this solution as it sounds much safer than editing the actual sudoers like you said. Many thanks for your time!

    – merkeesox
    Jun 2 at 16:10












  • That worked as you described - I was just thinking however, what would a script look like to reverse this change. Would it include renaming the edited script to .orig and .orig to default? Apologies as I am just doing my best learning bash, however there might be a time when there might be a need to revert to original without doing a file any direct intervention and using Jamf Pro policy instead. I would imagine a policy for applying this change with the script you have so kindly written and a reversal policy which would could be scoped to appropriate machines and undo changes.

    – merkeesox
    Jun 2 at 19:28







  • 1





    I've just realised I can just delete the edited script and rename the .orig back to default instead, sorry! That was silly of me.

    – merkeesox
    Jun 2 at 19:51


















3


















For what it's worth, you can use



printf '/^%%admin ALL = (ALL) ALL$/dnwnqn' | ed -s sudoers


or, if you want to catch the line independent of the number of space characters, tabs etc used



printf '/^%%admin[[:blank:]]*ALL[[:blank:]]*=[[:blank:]]*(ALL)[[:blank:]]*ALL$/dnwnqn' | ed sudoers 


in bash to remove the admin line (the double %% are required to prevent printf from interpreting them as formatting instructions).



The usual caveats about editing sudoers without relying on the syntax checks done by visudo apply. So it might be safer to run the following, or at least have another root shell running so you can fix any issues without getting locked out)



cp /etc/sudoers /tmp
chmod +w /tmp/sudoers
printf '/^%%admin[[:blank:]]*ALL[[:blank:]]*=[[:blank:]]*(ALL)[[:blank:]]*ALL$/dnwnqn'
| ed /tmp/sudoers
if visudo -c -f /tmp/sudoers; then
echo "All well"
mv -f /tmp/sudoers /etc/sudoers
chmod -w /etc/sudoers
else
echo "Uups, something went wrong"
fi


(Script untested, because I don't want to mess with my sudoers file)






share|improve this answer




























  • I've tested the above script and it may indeed work with some adjustment as the echo returns "All well" however, I believe it isn't removing that particular line still as I've checked sudoers file and %admin is still present. The return code is Running script Test - edit sudoers... Script exit code: 0 Script result: 2111 ? /tmp/sudoers: parsed OK All well

    – merkeesox
    Jun 2 at 9:29












  • @merkeesox Please add your sudoers file to the question then, so it‘s easier to verify what is going wrong.

    – nohillside
    Jun 2 at 10:01







  • 1





    @merkeesox Try again. BUT: currently no additional users besides root are enabled for sudo, so make sure you don’t lock yourself out!

    – nohillside
    Jun 2 at 10:50











  • That's okay, I've got the root account enabled and when I log in I can edit it back to its original values without affecting ownership and permissions of sudoers file. I'll try that now.

    – merkeesox
    Jun 2 at 10:54


















1


















Amazing! It worked! Thank you very much! @nohillside



I'll add a line above that to add a user mac_admin before the script executes so the final version should look like this.



echo 'mac_admin ALL=(ALL:ALL) ALL' >> /etc/sudoers

cp /etc/sudoers /tmp
chmod +w /tmp/sudoers
printf '/^%%admin.*ALL = (ALL) ALL$/dnwnqn' | ed /tmp/sudoers
if visudo -c -f /tmp/sudoers; then
echo "All well"
mv -f /tmp/sudoers /etc/sudoers
chmod -w /etc/sudoers
else
echo "Uups, something went wrong"
fi


Just FYI I am running this script by scoping it to my machine on Jamf Pro so it excecutes via a recurring check-in policy.






share|improve this answer


































    3 Answers
    3






    active

    oldest

    votes








    3 Answers
    3






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    2


















    Here's an alternate method. Lines are not added or deleted from the sudoers file. The line giving admin root rights is commented out and we create a separate file with mac_admin's rights in the directory /etc/sudoers.d. And as a bonus, the original sudoers file is backed up.



    printf '%sn' 'mac_admin ALL=(ALL:ALL) ALL' > /tmp/99-macadmin

    visudo -c -f /tmp/99-macadmin &&
    install -o 0 -g 0 -m 440 /tmp/99-macadmin /etc/sudoers.d

    sed $'s/%admint/# %admin/' /etc/sudoers > /tmp/sudoers

    visudo -c -f /tmp/sudoers &&
    install -B .orig -b -o 0 -g 0 -m 440 /tmp/sudoers /etc/sudoers

    rm /tmp/sudoers /tmp/99-macadmin





    share|improve this answer


























    • Impressive! I was not aware that's an option as my bash skills are incredibly lacking. I'll test this and let you know if it works - very interested to implement this solution as it sounds much safer than editing the actual sudoers like you said. Many thanks for your time!

      – merkeesox
      Jun 2 at 16:10












    • That worked as you described - I was just thinking however, what would a script look like to reverse this change. Would it include renaming the edited script to .orig and .orig to default? Apologies as I am just doing my best learning bash, however there might be a time when there might be a need to revert to original without doing a file any direct intervention and using Jamf Pro policy instead. I would imagine a policy for applying this change with the script you have so kindly written and a reversal policy which would could be scoped to appropriate machines and undo changes.

      – merkeesox
      Jun 2 at 19:28







    • 1





      I've just realised I can just delete the edited script and rename the .orig back to default instead, sorry! That was silly of me.

      – merkeesox
      Jun 2 at 19:51















    2


















    Here's an alternate method. Lines are not added or deleted from the sudoers file. The line giving admin root rights is commented out and we create a separate file with mac_admin's rights in the directory /etc/sudoers.d. And as a bonus, the original sudoers file is backed up.



    printf '%sn' 'mac_admin ALL=(ALL:ALL) ALL' > /tmp/99-macadmin

    visudo -c -f /tmp/99-macadmin &&
    install -o 0 -g 0 -m 440 /tmp/99-macadmin /etc/sudoers.d

    sed $'s/%admint/# %admin/' /etc/sudoers > /tmp/sudoers

    visudo -c -f /tmp/sudoers &&
    install -B .orig -b -o 0 -g 0 -m 440 /tmp/sudoers /etc/sudoers

    rm /tmp/sudoers /tmp/99-macadmin





    share|improve this answer


























    • Impressive! I was not aware that's an option as my bash skills are incredibly lacking. I'll test this and let you know if it works - very interested to implement this solution as it sounds much safer than editing the actual sudoers like you said. Many thanks for your time!

      – merkeesox
      Jun 2 at 16:10












    • That worked as you described - I was just thinking however, what would a script look like to reverse this change. Would it include renaming the edited script to .orig and .orig to default? Apologies as I am just doing my best learning bash, however there might be a time when there might be a need to revert to original without doing a file any direct intervention and using Jamf Pro policy instead. I would imagine a policy for applying this change with the script you have so kindly written and a reversal policy which would could be scoped to appropriate machines and undo changes.

      – merkeesox
      Jun 2 at 19:28







    • 1





      I've just realised I can just delete the edited script and rename the .orig back to default instead, sorry! That was silly of me.

      – merkeesox
      Jun 2 at 19:51













    2














    2










    2









    Here's an alternate method. Lines are not added or deleted from the sudoers file. The line giving admin root rights is commented out and we create a separate file with mac_admin's rights in the directory /etc/sudoers.d. And as a bonus, the original sudoers file is backed up.



    printf '%sn' 'mac_admin ALL=(ALL:ALL) ALL' > /tmp/99-macadmin

    visudo -c -f /tmp/99-macadmin &&
    install -o 0 -g 0 -m 440 /tmp/99-macadmin /etc/sudoers.d

    sed $'s/%admint/# %admin/' /etc/sudoers > /tmp/sudoers

    visudo -c -f /tmp/sudoers &&
    install -B .orig -b -o 0 -g 0 -m 440 /tmp/sudoers /etc/sudoers

    rm /tmp/sudoers /tmp/99-macadmin





    share|improve this answer














    Here's an alternate method. Lines are not added or deleted from the sudoers file. The line giving admin root rights is commented out and we create a separate file with mac_admin's rights in the directory /etc/sudoers.d. And as a bonus, the original sudoers file is backed up.



    printf '%sn' 'mac_admin ALL=(ALL:ALL) ALL' > /tmp/99-macadmin

    visudo -c -f /tmp/99-macadmin &&
    install -o 0 -g 0 -m 440 /tmp/99-macadmin /etc/sudoers.d

    sed $'s/%admint/# %admin/' /etc/sudoers > /tmp/sudoers

    visudo -c -f /tmp/sudoers &&
    install -B .orig -b -o 0 -g 0 -m 440 /tmp/sudoers /etc/sudoers

    rm /tmp/sudoers /tmp/99-macadmin






    share|improve this answer













    share|improve this answer




    share|improve this answer










    answered Jun 2 at 14:44









    fd0fd0

    7,1521 gold badge16 silver badges32 bronze badges




    7,1521 gold badge16 silver badges32 bronze badges















    • Impressive! I was not aware that's an option as my bash skills are incredibly lacking. I'll test this and let you know if it works - very interested to implement this solution as it sounds much safer than editing the actual sudoers like you said. Many thanks for your time!

      – merkeesox
      Jun 2 at 16:10












    • That worked as you described - I was just thinking however, what would a script look like to reverse this change. Would it include renaming the edited script to .orig and .orig to default? Apologies as I am just doing my best learning bash, however there might be a time when there might be a need to revert to original without doing a file any direct intervention and using Jamf Pro policy instead. I would imagine a policy for applying this change with the script you have so kindly written and a reversal policy which would could be scoped to appropriate machines and undo changes.

      – merkeesox
      Jun 2 at 19:28







    • 1





      I've just realised I can just delete the edited script and rename the .orig back to default instead, sorry! That was silly of me.

      – merkeesox
      Jun 2 at 19:51

















    • Impressive! I was not aware that's an option as my bash skills are incredibly lacking. I'll test this and let you know if it works - very interested to implement this solution as it sounds much safer than editing the actual sudoers like you said. Many thanks for your time!

      – merkeesox
      Jun 2 at 16:10












    • That worked as you described - I was just thinking however, what would a script look like to reverse this change. Would it include renaming the edited script to .orig and .orig to default? Apologies as I am just doing my best learning bash, however there might be a time when there might be a need to revert to original without doing a file any direct intervention and using Jamf Pro policy instead. I would imagine a policy for applying this change with the script you have so kindly written and a reversal policy which would could be scoped to appropriate machines and undo changes.

      – merkeesox
      Jun 2 at 19:28







    • 1





      I've just realised I can just delete the edited script and rename the .orig back to default instead, sorry! That was silly of me.

      – merkeesox
      Jun 2 at 19:51
















    Impressive! I was not aware that's an option as my bash skills are incredibly lacking. I'll test this and let you know if it works - very interested to implement this solution as it sounds much safer than editing the actual sudoers like you said. Many thanks for your time!

    – merkeesox
    Jun 2 at 16:10






    Impressive! I was not aware that's an option as my bash skills are incredibly lacking. I'll test this and let you know if it works - very interested to implement this solution as it sounds much safer than editing the actual sudoers like you said. Many thanks for your time!

    – merkeesox
    Jun 2 at 16:10














    That worked as you described - I was just thinking however, what would a script look like to reverse this change. Would it include renaming the edited script to .orig and .orig to default? Apologies as I am just doing my best learning bash, however there might be a time when there might be a need to revert to original without doing a file any direct intervention and using Jamf Pro policy instead. I would imagine a policy for applying this change with the script you have so kindly written and a reversal policy which would could be scoped to appropriate machines and undo changes.

    – merkeesox
    Jun 2 at 19:28






    That worked as you described - I was just thinking however, what would a script look like to reverse this change. Would it include renaming the edited script to .orig and .orig to default? Apologies as I am just doing my best learning bash, however there might be a time when there might be a need to revert to original without doing a file any direct intervention and using Jamf Pro policy instead. I would imagine a policy for applying this change with the script you have so kindly written and a reversal policy which would could be scoped to appropriate machines and undo changes.

    – merkeesox
    Jun 2 at 19:28





    1




    1





    I've just realised I can just delete the edited script and rename the .orig back to default instead, sorry! That was silly of me.

    – merkeesox
    Jun 2 at 19:51





    I've just realised I can just delete the edited script and rename the .orig back to default instead, sorry! That was silly of me.

    – merkeesox
    Jun 2 at 19:51













    3


















    For what it's worth, you can use



    printf '/^%%admin ALL = (ALL) ALL$/dnwnqn' | ed -s sudoers


    or, if you want to catch the line independent of the number of space characters, tabs etc used



    printf '/^%%admin[[:blank:]]*ALL[[:blank:]]*=[[:blank:]]*(ALL)[[:blank:]]*ALL$/dnwnqn' | ed sudoers 


    in bash to remove the admin line (the double %% are required to prevent printf from interpreting them as formatting instructions).



    The usual caveats about editing sudoers without relying on the syntax checks done by visudo apply. So it might be safer to run the following, or at least have another root shell running so you can fix any issues without getting locked out)



    cp /etc/sudoers /tmp
    chmod +w /tmp/sudoers
    printf '/^%%admin[[:blank:]]*ALL[[:blank:]]*=[[:blank:]]*(ALL)[[:blank:]]*ALL$/dnwnqn'
    | ed /tmp/sudoers
    if visudo -c -f /tmp/sudoers; then
    echo "All well"
    mv -f /tmp/sudoers /etc/sudoers
    chmod -w /etc/sudoers
    else
    echo "Uups, something went wrong"
    fi


    (Script untested, because I don't want to mess with my sudoers file)






    share|improve this answer




























    • I've tested the above script and it may indeed work with some adjustment as the echo returns "All well" however, I believe it isn't removing that particular line still as I've checked sudoers file and %admin is still present. The return code is Running script Test - edit sudoers... Script exit code: 0 Script result: 2111 ? /tmp/sudoers: parsed OK All well

      – merkeesox
      Jun 2 at 9:29












    • @merkeesox Please add your sudoers file to the question then, so it‘s easier to verify what is going wrong.

      – nohillside
      Jun 2 at 10:01







    • 1





      @merkeesox Try again. BUT: currently no additional users besides root are enabled for sudo, so make sure you don’t lock yourself out!

      – nohillside
      Jun 2 at 10:50











    • That's okay, I've got the root account enabled and when I log in I can edit it back to its original values without affecting ownership and permissions of sudoers file. I'll try that now.

      – merkeesox
      Jun 2 at 10:54















    3


















    For what it's worth, you can use



    printf '/^%%admin ALL = (ALL) ALL$/dnwnqn' | ed -s sudoers


    or, if you want to catch the line independent of the number of space characters, tabs etc used



    printf '/^%%admin[[:blank:]]*ALL[[:blank:]]*=[[:blank:]]*(ALL)[[:blank:]]*ALL$/dnwnqn' | ed sudoers 


    in bash to remove the admin line (the double %% are required to prevent printf from interpreting them as formatting instructions).



    The usual caveats about editing sudoers without relying on the syntax checks done by visudo apply. So it might be safer to run the following, or at least have another root shell running so you can fix any issues without getting locked out)



    cp /etc/sudoers /tmp
    chmod +w /tmp/sudoers
    printf '/^%%admin[[:blank:]]*ALL[[:blank:]]*=[[:blank:]]*(ALL)[[:blank:]]*ALL$/dnwnqn'
    | ed /tmp/sudoers
    if visudo -c -f /tmp/sudoers; then
    echo "All well"
    mv -f /tmp/sudoers /etc/sudoers
    chmod -w /etc/sudoers
    else
    echo "Uups, something went wrong"
    fi


    (Script untested, because I don't want to mess with my sudoers file)






    share|improve this answer




























    • I've tested the above script and it may indeed work with some adjustment as the echo returns "All well" however, I believe it isn't removing that particular line still as I've checked sudoers file and %admin is still present. The return code is Running script Test - edit sudoers... Script exit code: 0 Script result: 2111 ? /tmp/sudoers: parsed OK All well

      – merkeesox
      Jun 2 at 9:29












    • @merkeesox Please add your sudoers file to the question then, so it‘s easier to verify what is going wrong.

      – nohillside
      Jun 2 at 10:01







    • 1





      @merkeesox Try again. BUT: currently no additional users besides root are enabled for sudo, so make sure you don’t lock yourself out!

      – nohillside
      Jun 2 at 10:50











    • That's okay, I've got the root account enabled and when I log in I can edit it back to its original values without affecting ownership and permissions of sudoers file. I'll try that now.

      – merkeesox
      Jun 2 at 10:54













    3














    3










    3









    For what it's worth, you can use



    printf '/^%%admin ALL = (ALL) ALL$/dnwnqn' | ed -s sudoers


    or, if you want to catch the line independent of the number of space characters, tabs etc used



    printf '/^%%admin[[:blank:]]*ALL[[:blank:]]*=[[:blank:]]*(ALL)[[:blank:]]*ALL$/dnwnqn' | ed sudoers 


    in bash to remove the admin line (the double %% are required to prevent printf from interpreting them as formatting instructions).



    The usual caveats about editing sudoers without relying on the syntax checks done by visudo apply. So it might be safer to run the following, or at least have another root shell running so you can fix any issues without getting locked out)



    cp /etc/sudoers /tmp
    chmod +w /tmp/sudoers
    printf '/^%%admin[[:blank:]]*ALL[[:blank:]]*=[[:blank:]]*(ALL)[[:blank:]]*ALL$/dnwnqn'
    | ed /tmp/sudoers
    if visudo -c -f /tmp/sudoers; then
    echo "All well"
    mv -f /tmp/sudoers /etc/sudoers
    chmod -w /etc/sudoers
    else
    echo "Uups, something went wrong"
    fi


    (Script untested, because I don't want to mess with my sudoers file)






    share|improve this answer
















    For what it's worth, you can use



    printf '/^%%admin ALL = (ALL) ALL$/dnwnqn' | ed -s sudoers


    or, if you want to catch the line independent of the number of space characters, tabs etc used



    printf '/^%%admin[[:blank:]]*ALL[[:blank:]]*=[[:blank:]]*(ALL)[[:blank:]]*ALL$/dnwnqn' | ed sudoers 


    in bash to remove the admin line (the double %% are required to prevent printf from interpreting them as formatting instructions).



    The usual caveats about editing sudoers without relying on the syntax checks done by visudo apply. So it might be safer to run the following, or at least have another root shell running so you can fix any issues without getting locked out)



    cp /etc/sudoers /tmp
    chmod +w /tmp/sudoers
    printf '/^%%admin[[:blank:]]*ALL[[:blank:]]*=[[:blank:]]*(ALL)[[:blank:]]*ALL$/dnwnqn'
    | ed /tmp/sudoers
    if visudo -c -f /tmp/sudoers; then
    echo "All well"
    mv -f /tmp/sudoers /etc/sudoers
    chmod -w /etc/sudoers
    else
    echo "Uups, something went wrong"
    fi


    (Script untested, because I don't want to mess with my sudoers file)







    share|improve this answer















    share|improve this answer




    share|improve this answer








    edited Jun 2 at 12:22

























    answered Jun 2 at 8:44









    nohillsidenohillside

    57.8k15 gold badges124 silver badges170 bronze badges




    57.8k15 gold badges124 silver badges170 bronze badges















    • I've tested the above script and it may indeed work with some adjustment as the echo returns "All well" however, I believe it isn't removing that particular line still as I've checked sudoers file and %admin is still present. The return code is Running script Test - edit sudoers... Script exit code: 0 Script result: 2111 ? /tmp/sudoers: parsed OK All well

      – merkeesox
      Jun 2 at 9:29












    • @merkeesox Please add your sudoers file to the question then, so it‘s easier to verify what is going wrong.

      – nohillside
      Jun 2 at 10:01







    • 1





      @merkeesox Try again. BUT: currently no additional users besides root are enabled for sudo, so make sure you don’t lock yourself out!

      – nohillside
      Jun 2 at 10:50











    • That's okay, I've got the root account enabled and when I log in I can edit it back to its original values without affecting ownership and permissions of sudoers file. I'll try that now.

      – merkeesox
      Jun 2 at 10:54

















    • I've tested the above script and it may indeed work with some adjustment as the echo returns "All well" however, I believe it isn't removing that particular line still as I've checked sudoers file and %admin is still present. The return code is Running script Test - edit sudoers... Script exit code: 0 Script result: 2111 ? /tmp/sudoers: parsed OK All well

      – merkeesox
      Jun 2 at 9:29












    • @merkeesox Please add your sudoers file to the question then, so it‘s easier to verify what is going wrong.

      – nohillside
      Jun 2 at 10:01







    • 1





      @merkeesox Try again. BUT: currently no additional users besides root are enabled for sudo, so make sure you don’t lock yourself out!

      – nohillside
      Jun 2 at 10:50











    • That's okay, I've got the root account enabled and when I log in I can edit it back to its original values without affecting ownership and permissions of sudoers file. I'll try that now.

      – merkeesox
      Jun 2 at 10:54
















    I've tested the above script and it may indeed work with some adjustment as the echo returns "All well" however, I believe it isn't removing that particular line still as I've checked sudoers file and %admin is still present. The return code is Running script Test - edit sudoers... Script exit code: 0 Script result: 2111 ? /tmp/sudoers: parsed OK All well

    – merkeesox
    Jun 2 at 9:29






    I've tested the above script and it may indeed work with some adjustment as the echo returns "All well" however, I believe it isn't removing that particular line still as I've checked sudoers file and %admin is still present. The return code is Running script Test - edit sudoers... Script exit code: 0 Script result: 2111 ? /tmp/sudoers: parsed OK All well

    – merkeesox
    Jun 2 at 9:29














    @merkeesox Please add your sudoers file to the question then, so it‘s easier to verify what is going wrong.

    – nohillside
    Jun 2 at 10:01






    @merkeesox Please add your sudoers file to the question then, so it‘s easier to verify what is going wrong.

    – nohillside
    Jun 2 at 10:01





    1




    1





    @merkeesox Try again. BUT: currently no additional users besides root are enabled for sudo, so make sure you don’t lock yourself out!

    – nohillside
    Jun 2 at 10:50





    @merkeesox Try again. BUT: currently no additional users besides root are enabled for sudo, so make sure you don’t lock yourself out!

    – nohillside
    Jun 2 at 10:50













    That's okay, I've got the root account enabled and when I log in I can edit it back to its original values without affecting ownership and permissions of sudoers file. I'll try that now.

    – merkeesox
    Jun 2 at 10:54





    That's okay, I've got the root account enabled and when I log in I can edit it back to its original values without affecting ownership and permissions of sudoers file. I'll try that now.

    – merkeesox
    Jun 2 at 10:54











    1


















    Amazing! It worked! Thank you very much! @nohillside



    I'll add a line above that to add a user mac_admin before the script executes so the final version should look like this.



    echo 'mac_admin ALL=(ALL:ALL) ALL' >> /etc/sudoers

    cp /etc/sudoers /tmp
    chmod +w /tmp/sudoers
    printf '/^%%admin.*ALL = (ALL) ALL$/dnwnqn' | ed /tmp/sudoers
    if visudo -c -f /tmp/sudoers; then
    echo "All well"
    mv -f /tmp/sudoers /etc/sudoers
    chmod -w /etc/sudoers
    else
    echo "Uups, something went wrong"
    fi


    Just FYI I am running this script by scoping it to my machine on Jamf Pro so it excecutes via a recurring check-in policy.






    share|improve this answer






























      1


















      Amazing! It worked! Thank you very much! @nohillside



      I'll add a line above that to add a user mac_admin before the script executes so the final version should look like this.



      echo 'mac_admin ALL=(ALL:ALL) ALL' >> /etc/sudoers

      cp /etc/sudoers /tmp
      chmod +w /tmp/sudoers
      printf '/^%%admin.*ALL = (ALL) ALL$/dnwnqn' | ed /tmp/sudoers
      if visudo -c -f /tmp/sudoers; then
      echo "All well"
      mv -f /tmp/sudoers /etc/sudoers
      chmod -w /etc/sudoers
      else
      echo "Uups, something went wrong"
      fi


      Just FYI I am running this script by scoping it to my machine on Jamf Pro so it excecutes via a recurring check-in policy.






      share|improve this answer




























        1














        1










        1









        Amazing! It worked! Thank you very much! @nohillside



        I'll add a line above that to add a user mac_admin before the script executes so the final version should look like this.



        echo 'mac_admin ALL=(ALL:ALL) ALL' >> /etc/sudoers

        cp /etc/sudoers /tmp
        chmod +w /tmp/sudoers
        printf '/^%%admin.*ALL = (ALL) ALL$/dnwnqn' | ed /tmp/sudoers
        if visudo -c -f /tmp/sudoers; then
        echo "All well"
        mv -f /tmp/sudoers /etc/sudoers
        chmod -w /etc/sudoers
        else
        echo "Uups, something went wrong"
        fi


        Just FYI I am running this script by scoping it to my machine on Jamf Pro so it excecutes via a recurring check-in policy.






        share|improve this answer














        Amazing! It worked! Thank you very much! @nohillside



        I'll add a line above that to add a user mac_admin before the script executes so the final version should look like this.



        echo 'mac_admin ALL=(ALL:ALL) ALL' >> /etc/sudoers

        cp /etc/sudoers /tmp
        chmod +w /tmp/sudoers
        printf '/^%%admin.*ALL = (ALL) ALL$/dnwnqn' | ed /tmp/sudoers
        if visudo -c -f /tmp/sudoers; then
        echo "All well"
        mv -f /tmp/sudoers /etc/sudoers
        chmod -w /etc/sudoers
        else
        echo "Uups, something went wrong"
        fi


        Just FYI I am running this script by scoping it to my machine on Jamf Pro so it excecutes via a recurring check-in policy.







        share|improve this answer













        share|improve this answer




        share|improve this answer










        answered Jun 2 at 11:32









        merkeesoxmerkeesox

        364 bronze badges




        364 bronze badges
















            Popular posts from this blog

            Distance measures on a map of a game The 2019 Stack Overflow Developer Survey Results Are Inmin distance in a graphShortest distance path on contour plotHow to plot a tilted map?Finding points outside of a diskDelaunay link distanceAnnulus from GeoDisks: drawing a ring on a mapNegative Correlation DistanceFind distance along a path (GPS coordinates)Finding position at given distance in a GeoPathMathematics behind distance estimation using camera

            How to get a smooth, uniform ParametricPlot of a 2D Region?How to plot a complicated Region?How to exclude a region from ParametricPlotHow discretize a region placing vertices on a specific non-uniform gridHow to transform a Plot or a ParametricPlot into a RegionHow can I get a smooth plot of a bounded region?Smooth ParametricPlot3D with RegionFunction?Smooth border of a region ParametricPlotSmooth region boundarySmooth region plot from list of pointsGet minimum y of a certain x in a region

            Training a classifier when some of the features are unknownWhy does Gradient Boosting regression predict negative values when there are no negative y-values in my training set?How to improve an existing (trained) classifier?What is effect when I set up some self defined predisctor variables?Why Matlab neural network classification returns decimal values on prediction dataset?Fitting and transforming text data in training, testing, and validation setsHow to quantify the performance of the classifier (multi-class SVM) using the test data?How do I control for some patients providing multiple samples in my training data?Training and Test setTraining a convolutional neural network for image denoising in MatlabShouldn't an autoencoder with #(neurons in hidden layer) = #(neurons in input layer) be “perfect”?