Help

Admin Accounts and the Sudoers list

Go to solution
mjames
Contributor

Posted on ‎09-16-2013 10:41 PM

Hey All,

I am not sure how possible this is, but I am looking for a way to have admin user on a system, but to remove them from the Sudoers list - more or less, I want them to be able to do more or less what they like on the system in so far as installing software, accessing permissions and adding devices, but I do not want them to be able to get into Terminal and operate with Sudo privileges...

Any ideas?

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
nessts
Valued Contributor II

Posted on ‎09-17-2013 05:46 AM

well what it sounds like to me that you have a new CS7 Corvette and you are getting it valet parked, but leaving the valet key on the keyring that you hand the valet.

To remove sudo access all you have to in a post install script is run something like this
perl -pi -e 's/%admin ALL=(ALL) ALL/#%admin ALL=(ALL) ALL/' /etc/sudoers
and then you may want to add a line for your specific admin user to have sudo.
but essentially if they have admin and any sort of imagination, they can get sudo fixed.

I would not make them admins, and provide software they need to install through self service.

View solution in original post

0 Kudos
5 REPLIES 5

Go to solution
nessts
Valued Contributor II

Posted on ‎09-17-2013 05:46 AM

well what it sounds like to me that you have a new CS7 Corvette and you are getting it valet parked, but leaving the valet key on the keyring that you hand the valet.

To remove sudo access all you have to in a post install script is run something like this
perl -pi -e 's/%admin ALL=(ALL) ALL/#%admin ALL=(ALL) ALL/' /etc/sudoers
and then you may want to add a line for your specific admin user to have sudo.
but essentially if they have admin and any sort of imagination, they can get sudo fixed.

I would not make them admins, and provide software they need to install through self service.

0 Kudos

Go to solution
makander
Contributor

Posted on ‎09-17-2013 05:53 AM

Can't you block software with Casper? That might work.

0 Kudos

Go to solution
scottb
Honored Contributor

Posted on ‎09-17-2013 12:18 PM

Here's a good page with options. We used to use MCX on the Xserve for this, so you can do it in Casper. There's also other suggestions here.

https://jamfnation.jamfsoftware.com/discussion.html?id=5308

0 Kudos

Go to solution
mjames
Contributor

Posted on ‎09-17-2013 05:36 PM

@ nessts

Unfortunately, this isn't my call. Our director insists the boys have admin rights on their systems (we are a 1 to 1 school from year 5-12), something about them needing to take responsibility for the systems, personally, I would love to take admin rights away. The problem we have, is the boys have figured out how to remove some monitoring software we install on their systems, by using sudo. But thanks for the info, I will give it a go.

@boettechs - thanks for th slink, I will check it out.

0 Kudos

Go to solution
Josh_S
Contributor III

Posted on ‎09-18-2013 09:24 AM

Make sure you test thoroughly, and you might want to give a local admin account, and probably your Casper management account, a backdoor. You could define another group that gives sudo access specifically for this, or just hardcode in your local accounts.

I don't believe Casper requires sudo access to do anything on one of the installed triggers, but I'm pretty sure it does if you push something with Casper Remote.

0 Kudos