• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Disabling sudoers temporarily
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Disabling sudoers temporarily

  • Subject: Re: Disabling sudoers temporarily
  • From: "John W. Baxter" <email@hidden>
  • Date: Tue, 11 May 2004 08:30:59 -0700
On 5/10/2004 22:49, "Gnarlodious" <email@hidden> wrote:

> I'm writing a script that messes with system files.
> I'm set in sudoers for passwordless root execution, which is great. But my
> script is for public use. So I commented out my name in sudoers and
> rebooted.
>
> Now as I try to write my script I get a dire warning (You are not in the
> sudoers file, this incident will be reported.
>
> Now I wonder if it was a mistake to comment out the whole line in sudoers,
> is the system preventing me from root access because my name isn't even
> mentioned?

In a word... Yes.

If you aren't in the sudoers file, either by username or by group
membership, you can do nothing with the sudo command.

I suspect you can't enable the root user, if you did this to the only admin
account you have on the machine. If root isn't already enabled, you're
likely looking at booting into single user mode to patch things up.


(Aside, I claim that a machine should have three accounts minimum: the
original admin account set up during commissioning, a "spare" admin account
which you don't use, there in case you mess up the "working" admin account,
and the non-admin account you routinely use.)

On a typical Unix system, sudo is very tightly controlled using the sudoers
file: a given username (or group) is allowed access--as root only to the
commands that person needs to accomplish some mission. Mac OS X as shipped
is atypical, but convenient.



One can do more...suppose you have some staff who shouldn't be able to ssh
into some server, but they do need to access one particular command which
allows them to look up some data that is owned by root. You write a program
which looks up only that data, you set up public key authentication of the
staff who need the access, and in the key file you insert a sudo command
which executes the utility that you wrote. You disable passworded access
via ssh. The sudoers file allows this group of staff people to execute
exactly one command...the utility you wrote. When they exit the program,
the ssh connection terminates.

--John
_______________________________________________
applescript-users mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/applescript-users
Do not post admin requests to the list. They will be ignored.

References: 
 >Disabling sudoers temporarily (From: Gnarlodious <email@hidden>)

  • Prev by Date: Toggle Modem Autoconnect Preference?
  • Next by Date: Choose File anomaly in Panther
  • Previous by thread: Re: Disabling sudoers temporarily
  • Next by thread: [ANN] May Philadelphia Area AppleScript Users Group Meeting
  • Index(es):
    • Date
    • Thread