taking away admin rights using cli command doesn't work

Question

taking away admin rights using cli command doesn't work

JensTimmerman opened this issue 8 years ago · 12 comments

I ran
sudo dscl . -delete /Groups/admin GroupMembership myaccount

rebooted
but when I open the shell I can still run sudo su -
and when I look at the myaccount user it is still listed as Admin in the Users & groups config
and id myaccount shows up with

uid=501(myaccount) gid=20(staff) groups=20(staff),12(everyone),61(localaccounts),79(_appserverusr),80(admin),81(_appserveradm),98(_lpadmin),701(com.apple.sharepoint.group.1),33(_appstore),100(_lpoperator),204(_developer),395(com.apple.access_ftp),398(com.apple.access_screensharing),399(com.apple.access_ssh)

Answer 1 · 2016-12-03T00:43:49.000Z

This is odd. I have just tested this again (in El Capitan) and it does work. Are you running this on Sierra?

Answer 2 · 2016-12-05T09:44:24.000Z

yes, running on 10.12.2 Beta (16C53a)

Answer 3 · 2016-12-05T09:45:44.000Z

and the command was successful, retrying gives me

 ~> sudo dscl . -delete /Groups/admin GroupMembership myaccount
Password:
<main> attribute status: eDSAttributeNotFound
<dscl_cmd> DS Error: -14134 (eDSAttributeNotFound)

so the attribute and is gone it would seem.

Answer 4 · 2016-12-05T11:50:25.000Z

I am planning to install Sierra when 12.2 drops. Then I can have a look.

What is the output of this?

dscl . -read /Groups/admin GroupMembership

Answer 5 · 2016-12-05T13:23:51.000Z

jens@w018h136 ~/Desktop> dscl . -read /groups/admin GroupMembership
GroupMembership: root admin

where admin is a second account I created to do system administration

this does not seem to be in sync with the information I get from id myaccount where myaccount is still in the admin group.

Answer 6 · 2016-12-09T18:45:05.000Z

These commands have the same result?

dscacheutil -q group -a name admin | grep users
dsmemberutil checkmembership -U <username> -G admin

Answer 7 · 2016-12-10T11:07:27.000Z

nope

> dscacheutil -q group -a name admin | grep users
users: root admin
> dsmemberutil checkmembership -U myuser -G admin
user is a member of the group
> dsmemberutil checkmembership -U root -G admin
user is a member of the group
> dsmemberutil checkmembership -U admin -G admin
user is a member of the group
> dsmemberutil checkmembership -U guest -G admin
user is not a member of the group

Answer 8 · 2016-12-10T11:51:30.000Z

That’s weird, so dsmemberutil does show that the account is still in the group? I wonder if there is some caching issue. If you are willing to try, though I do not know if this resolves anything.

dsmemberutil flushcache

Answer 9 · 2016-12-13T10:32:19.000Z

I've rebooted a few times in between, and flushed the cache now, still showing as a member of the group.

Answer 10 · 2016-12-13T10:38:42.000Z

curiously, according to /etc/group the admin group doesn't even contain the admin user, only root

grep admin /etc/group
admin:*:80:root
_lpadmin:*:98:

Answer 11 · 2016-12-13T10:40:17.000Z

and because of SIP I can't dtruss dsmemberutil, dscl and dscacheutil :(

Answer 12 · 2016-12-13T10:59:33.000Z

Turns out I'm still in the group because my UUID is still in the group

root#  dscl . -read /users/myaccount | grep GeneratedUID
GeneratedUID: XXXXXXXX-YYYY-ZZZZ-WWWW-QQQQQQQQQQQQ

 dscl . -read /Groups/admin GroupMembers
GroupMembers: FFFFEEEE-DDDD-CCCC-BBBB-AAAA00000000 XXXXXXXX-YYYY-ZZZZ-WWWW-QQQQQQQQQQQQ XXXXXXXX-YYYY-ZZZZ-WWWW-PPPPPPPPPPPP

This command really removed me from the admin group:

 dscl . -delete /Groups/admin GroupMembers  XXXXXXXX-YYYY-ZZZZ-WWWW-QQQQQQQQQQQQ

Sudo no longer works, and I'm shown as a Standard user in the Users & Groups settings panel.

So you might have to add this command to your guide.

(found this out thanks to https://superuser.com/questions/279891/list-all-members-of-a-group-mac-os-x/395738#395738 )