Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Sudo and admin users System
I recently downloaded a perl script called adduser, which was intended to mimic the classic BSD script of the same name. However, after it ran, I discovered I no longer had any working admin user accounts on the system! I couldn't authenticate as an admin user, nor could I run sudo. The script had munged the /groups/admin entry in the netinfo database to read root,greg, and the commas somehow were blocking it from matching either root or greg (btw, I'm Greg). The problem was, how to fix the netinfo entry without being an admin user.

Well, what I ended up doing was booting into single user mode and editing the /etc/sudoers file (using /usr/sbin/visudo) to contain a line explicitly giving greg sudo privileges via greg ALL=(ALL) ALL. Then, after rebooting, I ran sudo niutil -createprop /groups/admin users root greg, and everything was rosy again. Note that the standard sudoers file contains entries for root and for %admin, meaning members of the admin group. This explains why both admin status and sudo capability went away as a result of the runaway script.

Putting an explicit name into the sudoers file saved the day for me, maybe it'll help someone else someday.

Update from robg: Please see the attached comments for a revised adduser script that doesn't cause these issues, and thanks to Cap'n Hector for submitting it!
    •    
  • Currently 1.00 / 5
  • 1
  • 2
  • 3
  • 4
  • 5
  (1 vote cast)
 
[10,332 views]  

Sudo and admin users | 8 comments | Create New Account
Click here to return to the 'Sudo and admin users' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Does this mean every non-admin user...
Authored by: hamarkus on May 27, '04 10:37:56AM

Does this mean every non-admin user can give himself sudo status via booting into single user mode?



[ Reply to This | # ]
Does this mean every non-admin user...
Authored by: Cap'n Hector on May 27, '04 10:43:53AM

Yes, it does.



[ Reply to This | # ]
Does this mean every non-admin user...
Authored by: corvus on May 27, '04 11:00:26AM

Of course. You can prevent them from booting into single user mode if you set an open firmware password...

Then they'll just need to open your mac, put your boot disk in another machine, boot to single user mode, do the thing, and put your disk back. :-)

Open Firmware Security info

[ Reply to This | # ]

Cool!!!
Authored by: hamarkus on May 27, '04 02:43:25PM

Sorry, I could not resist.



[ Reply to This | # ]
Does this mean every non-admin user...
Authored by: stetner on May 31, '04 08:42:40AM

Not setting the open firmware password allows ANYONE to become root through a single user startup.

Even with the OF password set, admin users can still do something like edit /etc/rc and gain root access.

In reality, in terms of gaining root access, admin=root on Mac OS X



[ Reply to This | # ]
Does this mean every non-admin user...
Authored by: laardvark on May 27, '04 04:15:57PM

yes and you can also easily enable root during single user mode.

In single user mode, you're already running as root. Just do passwd, and you'll set a password for root and it'll be enabled.

I fixed a sudoers file this way. I enabled root, rebooted, and logged in as root. Then I edited the netinfo settings using NetInfo Manager. For some reason the box had totally lost the admin group!

To make things simple, I added myself specifically to the sudoers file on the box (in case it happened again).

I've written my own "adduser" in python. I haven't gone back and looked at it in awhile, the only thing I was having a problem with was it setting the password for the new user. The password setting code works...just not when it's run right after creating the user.

Pretty sure I didn't do anything about admin users in the script though. I should release it, as it does some things that other online scripts didn't do (like create the http.conf user entries).




[ Reply to This | # ]
Revised script...
Authored by: Cap'n Hector on May 28, '04 09:36:32AM
I threw this adduser script together that shouldn't suffer the same issues as the one described above:
#!/bin/sh
echo "Enter username:"
read u_name
echo "Enter the full name for user $u_name's:"
read real_name
echo "Is $u_name to be an Admin user (y/N)?"
read if_admin
new_uid=`nidump passwd . | awk -F: '{print $3f}' | sort -n | tail -1`
new_uid=`expr $NUID + 1`
nicl . -create /users/$u_name
nicl . -create /users/$u_name uid $new_uid
nicl . -create /users/$u_name realname "$real_name"
nicl . -create /users/$u_name passwd ""
nicl . -create /users/$u_name gid 20
nicl . -create /users/$u_name shell "/bin/tcsh"
nicl . -create /users/$u_name home "/Users/$u_name"
nicl . -create /users/$u_name _writers_passwd $u_name

passwd $u_name

ditto /System/Library/UserTemplate/English.lproj /Users/$u_name
chown -R $u_name:staff /Users/$u_name

nicl . -read /users/$u_name
if [ "$if_admin" = Y -o "$if_admin" = y ]
then
    nicl . -append /groups/wheel users $u_name
    nicl . -append /groups/admin users $u_name
    nicl . -read /groups/wheel
    nicl . -read /groups/admin
fi
Paste it into a text document, save it somewhere in your $PATH, chmod it 755, and then you can run it. Note that it does require admin access to create a new user.

[ Reply to This | # ]
Revised script...
Authored by: baronworm on Jul 01, '04 11:27:27AM

there is a simple, but important, typo in that script.

To fix, change this line:

new_uid=`expr $NUID + 1`

to instead read:

new_uid=`expr $new_uid + 1`



[ Reply to This | # ]