Solved Scripted visudo updates

DustinB3403

So in an on-going process to not loath everything Apple I'm trying to make my life a little easier, and in order to do this, I would love to simply sed in a few changes to visudo.

To do this manually (which is what I'm handling currently) I'll ssh into a workstation, elevate to my administrative user, and then run sudo visudo and copy in the changes for the Cmnd_alias and the specific permission changes I need to make.

Does anyone have a relatively less painful way of getting this updated that could be executed via script (even if I still had to do this for the already deployed systems).

stacksofplates

Just drop in a file with the sudo permissions there. A good convention is to name the file the user/group name and then put the user or group in the file with the permissions. It should be picked up by the system then. That's just the dump directory for configs so you don't have to edit /etc/sudoers

stacksofplates

Does Mac have an /etc/sudoers.d?

DustinB3403

@stacksofplates yes.

stacksofplates

Just drop in a file with the sudo permissions there. A good convention is to name the file the user/group name and then put the user or group in the file with the permissions. It should be picked up by the system then. That's just the dump directory for configs so you don't have to edit /etc/sudoers

DustinB3403

@stacksofplates said in Scripted visudo updates:

Just drop in a file with the sudo permissions there. A good convention is to name the file the user/group name and then put the user or group in the file with the permissions. It should be picked up by the system then. That's just the dump directory for configs so you don't have to edit /etc/sudoers

So would I simply drop a file with my Cmnd_Alias and users there?

Sorry (just looking to see an example)

stacksofplates

@DustinB3403 said in Scripted visudo updates:

@stacksofplates said in Scripted visudo updates:

Just drop in a file with the sudo permissions there. A good convention is to name the file the user/group name and then put the user or group in the file with the permissions. It should be picked up by the system then. That's just the dump directory for configs so you don't have to edit /etc/sudoers

So would I simply drop a file with my Cmnd_Alias and users there?

Sorry (just looking to see an example)

Here's an example. The file could be called dustin:

dustin     ALL=(ALL) NOPASSWD: ALL

stacksofplates

So you prob have more complicated sudo rules than that but you get the point.

DustinB3403

@stacksofplates said in Scripted visudo updates:

@DustinB3403 said in Scripted visudo updates:

@stacksofplates said in Scripted visudo updates:

Just drop in a file with the sudo permissions there. A good convention is to name the file the user/group name and then put the user or group in the file with the permissions. It should be picked up by the system then. That's just the dump directory for configs so you don't have to edit /etc/sudoers

So would I simply drop a file with my Cmnd_Alias and users there?

Sorry (just looking to see an example)

Here's an example. The file could be called dustin:

dustin     ALL=(ALL) NOPASSWD: ALL

Gotcha, so yeah I'd just setup a touch and vi process to add a file to that location with my permissions.

Thanks for the clarity.

IRJ

@DustinB3403 said in Scripted visudo updates:

@stacksofplates said in Scripted visudo updates:

@DustinB3403 said in Scripted visudo updates:

@stacksofplates said in Scripted visudo updates:

Just drop in a file with the sudo permissions there. A good convention is to name the file the user/group name and then put the user or group in the file with the permissions. It should be picked up by the system then. That's just the dump directory for configs so you don't have to edit /etc/sudoers

So would I simply drop a file with my Cmnd_Alias and users there?

Sorry (just looking to see an example)

Here's an example. The file could be called dustin:

dustin     ALL=(ALL) NOPASSWD: ALL

Gotcha, so yeah I'd just setup a touch and vi process to add a file to that location with my permissions.

Thanks for the clarity.

use cat instead of vi to automatically write the file

cat > /etc/sudoers.d/dustin <<\EOF
dustin     ALL=(ALL) NOPASSWD: ALL
EOF

scottalanmiller

@IRJ said in Scripted visudo updates:

@DustinB3403 said in Scripted visudo updates:

@stacksofplates said in Scripted visudo updates:

@DustinB3403 said in Scripted visudo updates:

@stacksofplates said in Scripted visudo updates:

Just drop in a file with the sudo permissions there. A good convention is to name the file the user/group name and then put the user or group in the file with the permissions. It should be picked up by the system then. That's just the dump directory for configs so you don't have to edit /etc/sudoers

So would I simply drop a file with my Cmnd_Alias and users there?

Sorry (just looking to see an example)

Here's an example. The file could be called dustin:

dustin     ALL=(ALL) NOPASSWD: ALL

Gotcha, so yeah I'd just setup a touch and vi process to add a file to that location with my permissions.

Thanks for the clarity.

use cat instead of vi to automatically write the file

cat > /etc/sudoers.d/dustin <<\EOF
dustin     ALL=(ALL) NOPASSWD: ALL
EOF

Or just use SED to modify it.

IRJ

@scottalanmiller said in Scripted visudo updates:

@IRJ said in Scripted visudo updates:

@DustinB3403 said in Scripted visudo updates:

@stacksofplates said in Scripted visudo updates:

@DustinB3403 said in Scripted visudo updates:

@stacksofplates said in Scripted visudo updates:

Just drop in a file with the sudo permissions there. A good convention is to name the file the user/group name and then put the user or group in the file with the permissions. It should be picked up by the system then. That's just the dump directory for configs so you don't have to edit /etc/sudoers

So would I simply drop a file with my Cmnd_Alias and users there?

Sorry (just looking to see an example)

Here's an example. The file could be called dustin:

dustin     ALL=(ALL) NOPASSWD: ALL

Gotcha, so yeah I'd just setup a touch and vi process to add a file to that location with my permissions.

Thanks for the clarity.

use cat instead of vi to automatically write the file

cat > /etc/sudoers.d/dustin <<\EOF
dustin     ALL=(ALL) NOPASSWD: ALL
EOF

Or just use SED to modify it.

He is creating a new file, but yeah if he was just adding to /etc/sudoers

DustinB3403

So no matter how I set up this file, when I go and test it, I'm getting syntax issues.

Definitely going to keep working on this, but need some food.

DustinB3403

Well I managed to get the file created, I had to use visudo to create a custom file with my edits.

I'm testing it now to see if everything works.

stacksofplates

@IRJ said in Scripted visudo updates:

@DustinB3403 said in Scripted visudo updates:

@stacksofplates said in Scripted visudo updates:

@DustinB3403 said in Scripted visudo updates:

@stacksofplates said in Scripted visudo updates:

Just drop in a file with the sudo permissions there. A good convention is to name the file the user/group name and then put the user or group in the file with the permissions. It should be picked up by the system then. That's just the dump directory for configs so you don't have to edit /etc/sudoers

So would I simply drop a file with my Cmnd_Alias and users there?

Sorry (just looking to see an example)

Here's an example. The file could be called dustin:

dustin     ALL=(ALL) NOPASSWD: ALL

Gotcha, so yeah I'd just setup a touch and vi process to add a file to that location with my permissions.

Thanks for the clarity.

use cat instead of vi to automatically write the file

cat > /etc/sudoers.d/dustin <<\EOF
dustin     ALL=(ALL) NOPASSWD: ALL
EOF

Or set up a template in your automation

stacksofplates

@DustinB3403 said in Scripted visudo updates:

Well I managed to get the file created, I had to use visudo to create a custom file with my edits.

I'm testing it now to see if everything works.

Really? It doesn't let you just sudo a file in the dump directory? I wonder how they are enforcing that?

DustinB3403

@stacksofplates said in Scripted visudo updates:

@DustinB3403 said in Scripted visudo updates:

Well I managed to get the file created, I had to use visudo to create a custom file with my edits.

I'm testing it now to see if everything works.

Really? It doesn't let you just sudo a file in the dump directory? I wonder how they are enforcing that?

Yeah, not sure why it was having a hissy fit over it, but I've got a good working custom sudoer.d/god file now that can be used for what I have, and I can simply cp that into the appropriate folder and reset the perms on it (if required) to get everything working.

Thanks for the help guys!