crasch (crasch) wrote,

GEEK: editing groups, using sudo

On Mac OS X, the recommended command line tool for editing groups appears to be dseditgroup.

Add a user to a group:

* dseditgroup -o edit -a crasch www

Remove a user from a group:

* dseditgroup -o edit -d crasch www

Check to see if user is a member of group:

Check out Eliminating Root with Sudo by Michael W. Lucas for more info on sudo.

To set up sudo logging:

* To see what commands you can run as sudo on a system:

$ sudo -l

* To inspect what commands another user may run:

$ sudo sudo -u someotheruser sudo -l
User someotheruser may run the following commands on this host:
(ALL) NOPASSWD: /usr/sbin/cleanup-logs

* Add the following to your /etc/sudoers file to run any command as root without a password:


Note that you should use the visudo command to edit the sudoers file. It will check your syntax before saving the file.

* The last entry in the /etc/sudoers file takes precedence. For example, assume crasch is a member of the admin group, and assume that the entries in the sudoers file look like this:

%admin ALL=(ALL) ALL

crasch will still have to enter a password to execute sudo commands, because he’s a member of the admin group, whose sudo configuration requires a password. To make it so that crasch doesn’t have to enter a password, put the sudo entries in this order.

%admin ALL=(ALL) ALL

Note that “crasch” and “ALL=(ALL) NOPASSWD: ALL” are separated by tabs, not spaces.

* To start sudo logging, you must configure your /etc/syslog.conf file:

# This logs successful and failed sudo attempts to the file /var/log/sudo.log
# Note that:
# 1. You must create the sudo.log file before syslogd will start logging to it
# sudo touch /var/log/sudo.log
# 2. You must restart the syslogd process:
# $ kill -HUP process_id
# 3. The two columns in the config below should be separated by tabs,
# not spaces.

local2.debug /var/log/sudo.log

* You can test sudo logging as follows. After running this command:

$ sudo hostname

…you should see an entry like this in the /var/log/sudo.log file:

$ tail -f /var/log/sudo.log
Dec 12 03:08:40 mymachine sudo: crasch : TTY=ttyp0 ; PWD=/private/etc ; USER=root ; COMMAND=/bin/hostname

Original: craschworks - comments

Tags: dseditgroup, geek, groups, programming, sudo
  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened