User profile for user: pianoman1976
pianoman1976 Author
User level: Level 1
104 points

Restriction of the sudo command

I would like to verify the correct groups and user and the correct
authorities.

Does this look correct? And can I remove the wheel group from carte blanche sudo status?



+Casa-XXXX-iMac:~ XXXX$ sudo cat /etc/sudoers+
Password:
+# sudoers file.+
#
+# This file MUST be edited with the 'visudo' command as root.+
#
+# See the sudoers man page for the details on how to write a sudoers file.+
#

+# Host alias specification+

+# User alias specification+

+# Cmnd alias specification+

+# Defaults specification+
+Defaults env_reset+
+Defaults env_keep += "BLOCKSIZE"+
+Defaults env_keep += "COLORFGBG COLORTERM"+
+Defaults env_keep += " _CF_USER_TEXTENCODING"+
+Defaults env_keep += "CHARSET LANG LANGUAGE LC_ALL LC_COLLATE LC_CTYPE"+
+Defaults env_keep += "LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME"+
+Defaults env_keep += "LINES COLUMNS"+
+Defaults env_keep += "LSCOLORS"+
+Defaults env_keep += "SSH AUTHSOCK"+
+Defaults env_keep += "TZ"+
+Defaults env_keep += "DISPLAY XAUTHORIZATION XAUTHORITY"+
+Defaults env_keep += "EDITOR VISUAL"+

+# Runas alias specification+

+# User privilege specification+
+root ALL=(ALL) ALL+
+%admin ALL=(ALL) ALL+

+# Uncomment to allow people in group wheel to run all commands+
+# %wheel ALL=(ALL) ALL+

+# Same thing without a password+
+# %wheel ALL=(ALL) NOPASSWD: ALL+

+# Samples+
+# %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom+
+# %users localhost=/sbin/shutdown -h now+

iMac 2.4 GHz Intel Core 2 Duo, 4 GB RAM, Mac OS X (10.5.7), Bootcamp 50 GB Windows 7

Posted on Jun 12, 2009 11:06 PM

Reply
8 replies
User profile for user: BobHarris
BobHarris
User level: Level 9
56,933 points

Jun 13, 2009 6:03 AM in response to pianoman1976

Except for the following lines, it looks just like my unmodified /etc/sudoers file: 

+Defaults env_keep = "BLOCKSIZE"
+Defaults env_keep = "COLORFGBG COLORTERM"
+Defaults env_keep = "_CF_USER_TEXTENCODING"
+Defaults env_keep = "CHARSET LANG LANGUAGE LC_ALL LC_COLLATE LC_CTYPE"
+Defaults env_keep = "LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME"
+Defaults env_keep = "LINES COLUMNS"
+Defaults env_keep = "LSCOLORS"
+Defaults env_keep = "SSHAUTHSOCK"
+Defaults env_keep = "TZ"
+Defaults env_keep = "DISPLAY XAUTHORIZATION XAUTHORITY"
+Defaults env_keep = "EDITOR VISUAL"

My file looks like: 

Defaults env_keep += "BLOCKSIZE"
Defaults env_keep += "COLORFGBG COLORTERM"
Defaults env_keep += "_CF_USER_TEXTENCODING"
Defaults env_keep += "CHARSET LANG LANGUAGE LC_ALL LC_COLLATE LC_CTYPE"
Defaults env_keep += "LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME"
Defaults env_keep += "LINES COLUMNS"
Defaults env_keep += "LSCOLORS"
Defaults env_keep += "SSHAUTHSOCK"
Defaults env_keep += "TZ"
Defaults env_keep += "DISPLAY XAUTHORIZATION XAUTHORITY"
Defaults env_keep += "EDITOR VISUAL"

I do not know if your /etc/sudoers file look just like it was displayed in the post, or if this some side effect of forum formatting which could have been eliminated if you had wrapped your /etc/sudoers posting in 


...
...
...


tags.
Reply
User profile for user: biovizier
biovizier
User level: Level 5
7,931 points

Jun 13, 2009 6:14 AM in response to pianoman1976

..." Does this look correct?"...

No, the "Defaults specification" system would seem to be wrong. To avoid errors, the ' sudoers' file should only be edited with ' visudo' and opening what you have posted with ' visudo' causes it to object to that section. Comparing the file to my "/private/etc/sudoers.system_default" file, it would appear most of the '+' signs are in the wrong place.

..." And can I remove the wheel group from carte blanche sudo status?"...

Note that lines beginning with '#' are "comments", i.e. anything that follows in the line is not interpreted as a specification. Since the lines mentioning the "wheel" group are commented, the "wheel" group does not have "carte blanche" status so the lines can be left as-is.
Reply
User profile for user: pianoman1976
pianoman1976 Author
User level: Level 1
104 points

Jun 13, 2009 10:57 AM in response to BobHarris

Here it is: 

Casa-XXles-iMac:~ XXXn$ sudo cat /etc/sudoers 
Password:
# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#
# Host alias specification
# User alias specification
# Cmnd alias specification
# Defaults specification
Defaults env_reset
Defaults env_keep += "BLOCKSIZE"
Defaults env_keep += "COLORFGBG COLORTERM"
Defaults env_keep += "_CF_USER_TEXTENCODING"
Defaults env_keep += "CHARSET LANG LANGUAGE LC_ALL LC_COLLATE LC_CTYPE"
Defaults env_keep += "LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME"
Defaults env_keep += "LINES COLUMNS"
Defaults env_keep += "LSCOLORS"
Defaults env_keep += "SSHAUTHSOCK"
Defaults env_keep += "TZ"
Defaults env_keep += "DISPLAY XAUTHORIZATION XAUTHORITY"
Defaults env_keep += "EDITOR VISUAL"
# Runas alias specification
# User privilege specification
root ALL=(ALL) ALL
%admin ALL=(ALL) ALL
# Uncomment to allow people in group wheel to run all commands
# %wheel ALL=(ALL) ALL
# Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
# Samples
# %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users localhost=/sbin/shutdown -h now
Reply
User profile for user: pianoman1976
pianoman1976 Author
User level: Level 1
104 points

Jun 13, 2009 11:03 AM in response to biovizier

{quote}Note that lines beginning with '#' are "comments", i.e. anything that follows in the line is not interpreted as a specification. Since the lines mentioning the "wheel" group are commented, the "wheel" group does not have "carte blanche" status so the lines can be left as-is.{quote}

Maybe this is a question for another thread or for me to find out on my own researching the sudeors file - but purpose to the comments serve? Why comment on the wheel group like this? What does it mean?

Message was edited by: pianoman1976
Reply
User profile for user: pianoman1976
pianoman1976 Author
User level: Level 1
104 points

Jun 13, 2009 11:11 AM in response to biovizier

{quote}No, the "Defaults specification" system would seem to be wrong. To avoid errors, the 'sudoers' file should only be edited with 'visudo' and opening what you have posted with 'visudo' causes it to object to that section. Comparing the file to my "/private/etc/sudoers.system_default" file, it would appear most of the '+' signs are in the wrong place.{quote}

Could someone be so kind as to walk me through how to repair my sudoers file to it's default state, or even better - a more restricted state for better security? I've never used visudo before.

I would like to restrict sudo users to being able to access only required
commands .


Thank you.

Message was edited by: pianoman1976
Reply
User profile for user: BobHarris
BobHarris
User level: Level 9
56,933 points

Jun 13, 2009 3:31 PM in response to pianoman1976

but purpose to the comments serve? Why comment on the wheel group like this? What does it mean?

What does it hurt?

It gives examples of what can be done. It is useful for a Mac OS X Server situation in a company where there can be multiple 24/7 administrators, and using Wheel (as in a "Big Wheel") is a way to specify administrators (commonly used in Unix admin situations).

If you do not like comments, feel free to delete them. But for the rest of us that like examples of what might be done, it is a blessing.
Reply
User profile for user: BobHarris
BobHarris
User level: Level 9
56,933 points

Jun 13, 2009 3:48 PM in response to pianoman1976

Could someone be so kind as to walk me through how to repair my sudoers file to it's default state

Like I said in my reply, only difference between your file and mine was the + in column 1 vs +=. Everything thing else was identical.
I've never used visudo before.

visudo is just Vim in a wrapper that makes sure only 1 person is editing /etc/sudoers (sudo is frequently used in an environment with multiple administrators that get their privileges via sudo, so having 2 privileged users editing /etc/sudoers at the same time can result in a corrupted file where sudo is unable to read the file and grant anyone elevated privileges; been there, been subjected to that multiple times at work - very annoying).
I would like to restrict sudo users to being able to access only required commands .

Who are the "sudo users"?

See:
man sudoers
man sudo
man visudo

Here are some examples:
<http://www.sudo.ws/sudo/man/sudoers.html#examples>

<http://www.gratisoft.us/sudo/sample.sudoers>

<http://www.linuxhomenetworking.com/wiki/index.php/Quick HOWTO_:_Ch09_:_Linux_Users_and_Sudo#Simple_.2Fetc.2FsudoersExamples>

One Note Of Caution. If you screw up /etc/sudoers, you may not be able to do ANY admin work. So have a backup plan, such as known how to boot into single user mode and copy a saved known good /etc/sudoers.saved file as your "get out of jail" card. Also make sure the owner and permissions are correct.
-r--r----- 1 root wheel 1135 Sep 23 2007 /etc/sudoers
Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Restriction of the sudo command

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up