Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

taking away admin rights using cli command doesn't work #179

Closed
JensTimmerman opened this issue Dec 1, 2016 · 12 comments

Comments

@JensTimmerman
Copy link

commented Dec 1, 2016

I ran
sudo dscl . -delete /Groups/admin GroupMembership myaccount

rebooted
but when I open the shell I can still run sudo su -
and when I look at the myaccount user it is still listed as Admin in the Users & groups config
and id myaccount shows up with

uid=501(myaccount) gid=20(staff) groups=20(staff),12(everyone),61(localaccounts),79(_appserverusr),80(admin),81(_appserveradm),98(_lpadmin),701(com.apple.sharepoint.group.1),33(_appstore),100(_lpoperator),204(_developer),395(com.apple.access_ftp),398(com.apple.access_screensharing),399(com.apple.access_ssh)

@Eitot

This comment has been minimized.

Copy link
Contributor

commented Dec 3, 2016

This is odd. I have just tested this again (in El Capitan) and it does work. Are you running this on Sierra?

@JensTimmerman

This comment has been minimized.

Copy link
Author

commented Dec 5, 2016

yes, running on 10.12.2 Beta (16C53a)

@JensTimmerman

This comment has been minimized.

Copy link
Author

commented Dec 5, 2016

and the command was successful, retrying gives me

 ~> sudo dscl . -delete /Groups/admin GroupMembership myaccount
Password:
<main> attribute status: eDSAttributeNotFound
<dscl_cmd> DS Error: -14134 (eDSAttributeNotFound)

so the attribute and is gone it would seem.

@Eitot

This comment has been minimized.

Copy link
Contributor

commented Dec 5, 2016

I am planning to install Sierra when 12.2 drops. Then I can have a look.

What is the output of this?

dscl . -read /Groups/admin GroupMembership
@JensTimmerman

This comment has been minimized.

Copy link
Author

commented Dec 5, 2016

jens@w018h136 ~/Desktop> dscl . -read /groups/admin GroupMembership
GroupMembership: root admin

where admin is a second account I created to do system administration

this does not seem to be in sync with the information I get from id myaccount where myaccount is still in the admin group.

@Eitot

This comment has been minimized.

Copy link
Contributor

commented Dec 9, 2016

These commands have the same result?

dscacheutil -q group -a name admin | grep users
dsmemberutil checkmembership -U <username> -G admin
@JensTimmerman

This comment has been minimized.

Copy link
Author

commented Dec 10, 2016

nope

> dscacheutil -q group -a name admin | grep users
users: root admin
> dsmemberutil checkmembership -U myuser -G admin
user is a member of the group
> dsmemberutil checkmembership -U root -G admin
user is a member of the group
> dsmemberutil checkmembership -U admin -G admin
user is a member of the group
> dsmemberutil checkmembership -U guest -G admin
user is not a member of the group
@Eitot

This comment has been minimized.

Copy link
Contributor

commented Dec 10, 2016

That’s weird, so dsmemberutil does show that the account is still in the group? I wonder if there is some caching issue. If you are willing to try, though I do not know if this resolves anything.

dsmemberutil flushcache
@JensTimmerman

This comment has been minimized.

Copy link
Author

commented Dec 13, 2016

I've rebooted a few times in between, and flushed the cache now, still showing as a member of the group.

@JensTimmerman

This comment has been minimized.

Copy link
Author

commented Dec 13, 2016

curiously, according to /etc/group the admin group doesn't even contain the admin user, only root

grep admin /etc/group
admin:*:80:root
_lpadmin:*:98:
@JensTimmerman

This comment has been minimized.

Copy link
Author

commented Dec 13, 2016

and because of SIP I can't dtruss dsmemberutil, dscl and dscacheutil :(

@JensTimmerman

This comment has been minimized.

Copy link
Author

commented Dec 13, 2016

Turns out I'm still in the group because my UUID is still in the group

root#  dscl . -read /users/myaccount | grep GeneratedUID
GeneratedUID: XXXXXXXX-YYYY-ZZZZ-WWWW-QQQQQQQQQQQQ
 dscl . -read /Groups/admin GroupMembers
GroupMembers: FFFFEEEE-DDDD-CCCC-BBBB-AAAA00000000 XXXXXXXX-YYYY-ZZZZ-WWWW-QQQQQQQQQQQQ XXXXXXXX-YYYY-ZZZZ-WWWW-PPPPPPPPPPPP

This command really removed me from the admin group:

 dscl . -delete /Groups/admin GroupMembers  XXXXXXXX-YYYY-ZZZZ-WWWW-QQQQQQQQQQQQ

Sudo no longer works, and I'm shown as a Standard user in the Users & Groups settings panel.

So you might have to add this command to your guide.

(found this out thanks to https://superuser.com/questions/279891/list-all-members-of-a-group-mac-os-x/395738#395738 )

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.