Home > Mac administration, Mac OS X, macOS, Unix > Editing /etc/sudoers to manage sudo rights for users and groups

Editing /etc/sudoers to manage sudo rights for users and groups

In some environments, it may be desirable to give users admin rights while restricting those users from being able to run commands with root privileges while using the command line.

A way to achieve this “admin user in the GUI, standard user on the command line” method is to edit the /etc/sudoers file. This is the configuration file referenced by the sudo command line tool, which allows a user with the correct sudo rights to execute a command with root privileges, or using another user account’s privileges.

By default, all user accounts with admin rights on both OS X and macOS have full rights to use the sudo tool. By removing those accounts’ rights for sudo from the /etc/sudoers file, user accounts with admin rights will not be able to run commands with root privileges using the sudo tool. For more details, see below the jump.

Editing /etc/sudoers

To edit the /etc/sudoers file safely, make sure to use the visudo utility. This application will do a sanity check on your changes to /etc/sudoers before putting them into production.

By default, visudo uses vi as its text editor. If you want to use an alternative text editor, this can be achieved by setting the EDITOR environment variable to an alternate value, then launching visudo.

For example, if you want to use TextWrangler to edit the /etc/sudoers file, make sure you have TextWrangler’s command line tools installed and then run the following command with root privileges:

EDITOR=edit visudo

Screen Shot 2016 07 10 at 4 24 44 PM

 

Screen Shot 2016 07 10 at 4 25 36 PM

 

Alternatively, if you want to use the nano editor (also known as pico), run the following command with root privileges:

EDITOR=nano visudo

Screen Shot 2016 07 10 at 4 24 16 PM

 

Screen Shot 2016 07 10 at 4 26 26 PM

Removing the admin group’s entry from the /etc/sudoers file

To remove the sudo rights for all users with admin privileges, use the procedure below:

1. Use visudo to access the /etc/sudoers file
2. Navigate to the User privilege specification section.

Screen Shot 2016 07 10 at 5 05 26 PM

In that section, you should see a line like this:

%admins      ALL=(ALL) ALL

Screen Shot 2016 07 10 at 4 27 19 PM

 

The % symbol indicates that a group is being referenced; in this case the group named admin. Members of the admin group are the ones granted admin rights, so commenting out or removing this entry means that members of that group will no longer have rights to use the sudo tool.

3. To remove the entry for the admin group, you can take either of the following actions:

A. Comment out that line

Screen Shot 2016 07 10 at 4 27 55 PM

 

B. Delete the line

Screen Shot 2016 07 10 at 4 36 41 PM

Note: Make sure to leave the following entry intact and unedited:

root      ALL=(ALL) ALL

Deleting that entry would mean that not even the root user would be able to use the sudo tool.

Adding entries to the /etc/sudoers file

After removing the entry for the admin group from the /etc/sudoers file, you may want to add additional entries for specific users or groups. For example, you may not want to grant sudo rights to all admin users but you do want to grant them to the local admin account and the primary user of the Mac in question. In this case, we’re assuming that the local admin and the primary user have the following accounts:

Local admin account: admin
Primary user’s account: username

Adding the following entries to the /etc/sudoers file would allow you to give full sudo rights to the admin and username accounts:

admin      ALL=(ALL) ALL
username      ALL=(ALL) ALL

Screen Shot 2016 07 10 at 4 45 57 PM

Once the desired edits have been made, save the changes.

Screen Shot 2016 07 10 at 4 46 08 PM

 

Screen Shot 2016 07 10 at 4 46 13 PM

The new permissions will take effect immediately after the changes have been saved.

For more information on configuring sudo, I recommend referencing the sudo manpage or Apple’s documentation for sudo.

  1. July 11, 2016 at 10:00 am

    On my system I need to preface `visudo` or `EDITOR=edit visudo` with the `sudo` command or I get a “visudo: /etc/sudoers: Permission denied” error.

  2. July 11, 2016 at 10:05 am

    It’s probably also a good idea to read the man page for the sudoers file itself – `man sudoers`.

  3. July 11, 2016 at 3:23 pm

    FYI, we have a python script in our github repo called “Sudoers Manager” that lets you manage the shudders file in an enterprise environment. Take a look:

    https://github.com/univ-of-utah-marriott-library-apple/sudoers_manager

  4. July 11, 2016 at 3:24 pm

    Sorry, about the autocorrect 😉 Should be …lets you manage the sudoers file…

  5. Tobias
    July 11, 2016 at 7:00 pm

    You might also want to add the following line to the sudoers file:
    Defaults tty_tickets

    By default, invoking sudo maintains the session for 15 minutes, which means that you do not have to enter the password again within that time. However, this is not bound to subsequent Terminal windows/tabs, which means that your session could be hijacked by an attacker. Adding this line will make sure that the sudo session is limited to the same console.

  6. July 14, 2016 at 12:28 pm

    visudo -s launches the sudoers file in an editable way, the -s part menas if you’ve done something wrong it won’t save your changes

  7. July 14, 2016 at 12:30 pm

    I added the developer group to the sudoers file so I could control what users could execute certain commands eg %_developer ALL=/usr/bin/, /usr/sbin/, !/usr/bin/su, !/usr/bin/sudo -s,

  8. July 20, 2016 at 11:59 am

    Is there a way to prevent running “sudo -s” or “sudo su” or any other command that switches you to root user (“#” prompt)?

  9. July 20, 2016 at 12:01 pm

    Is it possible to prevent users from switching to root user (“sudo -s”, or “sudo su”, etc.)?

    PS, realizing that once you have admin rights, all bets are off… 😉

    Don

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: