In some environments, it may be desirable to give users admin rights while restricting those users from being able to run commands with root privileges while using the command line.
A way to achieve this “admin user in the GUI, standard user on the command line” method is to edit the /etc/sudoers file. This is the configuration file referenced by the sudo command line tool, which allows a user with the correct sudo rights to execute a command with root privileges, or using another user account’s privileges.
By default, all user accounts with admin rights on both OS X and macOS have full rights to use the sudo tool. By removing those accounts’ rights for sudo from the /etc/sudoers file, user accounts with admin rights will not be able to run commands with root privileges using the sudo tool. For more details, see below the jump.
Editing /etc/sudoers
To edit the /etc/sudoers file safely, make sure to use the visudo utility. This application will do a sanity check on your changes to /etc/sudoers before putting them into production.
By default, visudo uses vi as its text editor. If you want to use an alternative text editor, this can be achieved by setting the EDITOR environment variable to an alternate value, then launching visudo.
For example, if you want to use TextWrangler to edit the /etc/sudoers file, make sure you have TextWrangler’s command line tools installed and then run the following command with root privileges:
EDITOR=edit visudo
Alternatively, if you want to use the nano editor (also known as pico), run the following command with root privileges:
EDITOR=nano visudo
Removing the admin group’s entry from the /etc/sudoers file
To remove the sudo rights for all users with admin privileges, use the procedure below:
1. Use visudo to access the /etc/sudoers file
2. Navigate to the User privilege specification section.
In that section, you should see a line like this:
%admins ALL=(ALL) ALL
The % symbol indicates that a group is being referenced; in this case the group named admin. Members of the admin group are the ones granted admin rights, so commenting out or removing this entry means that members of that group will no longer have rights to use the sudo tool.
3. To remove the entry for the admin group, you can take either of the following actions:
A. Comment out that line
B. Delete the line
Note: Make sure to leave the following entry intact and unedited:
root ALL=(ALL) ALL
Deleting that entry would mean that not even the root user would be able to use the sudo tool.
Adding entries to the /etc/sudoers file
After removing the entry for the admin group from the /etc/sudoers file, you may want to add additional entries for specific users or groups. For example, you may not want to grant sudo rights to all admin users but you do want to grant them to the local admin account and the primary user of the Mac in question. In this case, we’re assuming that the local admin and the primary user have the following accounts:
Local admin account: admin
Primary user’s account: username
Adding the following entries to the /etc/sudoers file would allow you to give full sudo rights to the admin and username accounts:
admin ALL=(ALL) ALL username ALL=(ALL) ALL
Once the desired edits have been made, save the changes.
The new permissions will take effect immediately after the changes have been saved.
For more information on configuring sudo, I recommend referencing the sudo manpage or Apple’s documentation for sudo.
