GEEK: editing groups, using sudo

2007-12-12 01:20 am
[personal profile] archerships

On Mac OS X, the recommended command line tool for editing groups appears to be dseditgroup.

Add a user to a group:

* dseditgroup -o edit -a crasch www

Remove a user from a group:

* dseditgroup -o edit -d crasch www

Check to see if user is a member of group:

————
Check out Eliminating Root with Sudo by Michael W. Lucas for more info on sudo.

To set up sudo logging:

* To see what commands you can run as sudo on a system:

$ sudo -l

* To inspect what commands another user may run:

$ sudo sudo -u someotheruser sudo -l
User someotheruser may run the following commands on this host:
(ALL) NOPASSWD: /usr/sbin/cleanup-logs

* Add the following to your /etc/sudoers file to run any command as root without a password:

(ALL) NOPASSWD: ALL

Note that you should use the visudo command to edit the sudoers file. It will check your syntax before saving the file.

* The last entry in the /etc/sudoers file takes precedence. For example, assume crasch is a member of the admin group, and assume that the entries in the sudoers file look like this:

crasch ALL=(ALL) NOPASSWD: ALL
%admin ALL=(ALL) ALL

crasch will still have to enter a password to execute sudo commands, because he’s a member of the admin group, whose sudo configuration requires a password. To make it so that crasch doesn’t have to enter a password, put the sudo entries in this order.

%admin ALL=(ALL) ALL
crasch ALL=(ALL) NOPASSWD: ALL

Note that “crasch” and “ALL=(ALL) NOPASSWD: ALL” are separated by tabs, not spaces.

* To start sudo logging, you must configure your /etc/syslog.conf file:

# This logs successful and failed sudo attempts to the file /var/log/sudo.log
# Note that:
#
# 1. You must create the sudo.log file before syslogd will start logging to it
# sudo touch /var/log/sudo.log
#
# 2. You must restart the syslogd process:
# $ kill -HUP process_id
#
# 3. The two columns in the config below should be separated by tabs,
# not spaces.

local2.debug /var/log/sudo.log

* You can test sudo logging as follows. After running this command:

$ sudo hostname
mymachine.com

…you should see an entry like this in the /var/log/sudo.log file:

$ tail -f /var/log/sudo.log
Dec 12 03:08:40 mymachine sudo: crasch : TTY=ttyp0 ; PWD=/private/etc ; USER=root ; COMMAND=/bin/hostname

Original: craschworks - comments

Tags:
Flat | Top-Level Comments Only

Date: 2007-12-12 07:56 pm (UTC)
From: [identity profile] deftly.livejournal.com
I recommend using something like visudo to edit /etc/sudoers. It'll check the syntax when you're done editing so you don't screw yourself over.

Date: 2007-12-12 08:39 pm (UTC)
From: [identity profile] crasch.livejournal.com
Agreed.
Flat | Top-Level Comments Only