Allowing users to run script via /etc/sudoers and permissions

macos shell sudoers
Dan picture Dan · Jul 9, 2013 · Viewed 10.1k times · Source

I'd like users in staff group who do not have admin/root permissions to run the following script without being prompted for a password. This is in OSX.

Note that /usr/sbin/serveradmin requires root/sudo privileges.

I've tried adding the following to my /etc/sudoers, but it does not work. Script has permissions of 755.

%staff ALL=NOPASSWD: /usr/sbin/serveradmin stop smb,/usr/sbin/serveradmin start smb
%staff ALL=NOPASSWD: /bin/sh /opt/scripts/restart-smb

Here's the shell script:

#!/bin/bash
#
# This script simply restarts SMB (Samba)
#
echo "Stopping SMB..."
/usr/sbin/serveradmin stop smb
echo "Pausing for 30 seconds..."
/bin/sleep 30
echo "Starting SMB..."
/usr/sbin/serveradmin start smb
echo "Script complete!"

Your ideas, suggestions most appreciated!

Dan

Answer

user3157088 picture user3157088 · Jan 3, 2014

WARNING while playing with the /etc/sudoers file managing users privilege and permissions, I CRASHED Ubuntu.

Normal login was not possible anymore. I got a parsing error coming from a simple space missing between # and % character in a line I wrongly commented #%sudo ALL=NOPASSWD: /pathtoscripts/script.sh . I had to recover it with the install/liveCD mounting again the hardrive filesystem, put back the original file in place and dismount the volume for recording changes.

For the above reason I would NOT RECOMMEND THIS METHOD first because it modifies /etc/sudoers privileges critical file. Choose first alternatives available unless:

  • you have a good back up of your data outside of your PC

  • you are not afraid to take the risk to repair/reinstall your system

  • you know the RIGHT SYNTAX of the /etc/sudoers file, trials and parsing errors could cost you a lot of time and/or efforts/crashes...

Reading the other posts, I managed to get it work on my system, managing permissions through a group:

I created the group mygroup

sudo groupadd mygroup

I added the user myuser which will execute the script

sudo usermod -a -G mygroup myuser

I added at the END of /etc/sudoers the entry, otherwise the privilege are overwritten by the previous lines (be careful with syntax)

%mygroup ALL=NOPASSWD: /mypath/to/myscripts/myscript.sh

The above script myscript.sh must have execute permission

sudo ugo+x /mypath/to/myscripts/myscript.sh

This script will then be able to be launched by the user myuser directly as below wihtout prompting for password anymore

sudo /mypath/to/myscripts/myscript.sh

Alternatively, the script can be launched within another one in a same way

I found another way without creating a group, adding to /etc/sudoers file (at the END of file) the line: 

%sudo ALL=NOPASSWD: /mypath/to/myscripts/myscript.sh

In case the script must only be launched by a few existing users myuser1, myuser2, it is always possible to only add to /etc/sudoers (at the END of file) the lines : 

myuser1 ALL=(ALL) NOPASSWD: /mypath/to/myscripts/myscript.sh

myuser2 ALL=(ALL) NOPASSWD: /mypath/to/myscripts/myscript.sh

Related questions

How to run a shell script on a Unix console or Mac terminal?

I know it, forget it and relearn it again. Time to write it down.

Read More
OS X: equivalent of Linux's wget

How can I do an HTTP GET from a Un*x shell script on a stock OS X system? (installing third-party software is not an option, for this has to run on a lot of different systems which I don't …

Read More
OS X Terminal Colors

I'm new to OS X, having just gotten a Mac after working with Ubuntu Linux for some time. Among the many things I'm trying to figure out is the absence of colors in my terminal window - like the ones …

Read More