osx sudoers and the correct command to allow

[EHLOVader]

I wanted to allow hosts updater to run without root password on osx. although this is not horrible to work around I feel like it could make it much easier to implement.

Another similar situation was the NFS shares requiring access to /etc/exports.. there was a solution by adding the command to the sudoers file and I have attempted to without success to create a similar solution for this.

Was there any information on what the command might consist of and has anyone else accomplished this in their own machine?

Example of sudoers setup script:
https://gist.github.com/GUI/2864683

[lukasluecke]

Just add the following code to your shudders file (using the visudo command as indicated at the top of the file)

# vagrant-hostsupdater
Cmnd_Alias VAGRANT_HOSTS_ADD = /bin/sh -c echo "*" >> /etc/hosts
Cmnd_Alias VAGRANT_HOSTS_REMOVE = /usr/bin/sed -i -e /*/ d /etc/hosts
%admin ALL=(root) NOPASSWD: VAGRANT_HOSTS_ADD, VAGRANT_HOSTS_REMOVE

If you're also using NFS synced folders add this code as well (taken from the Vagrant docs)

# vagrant-nfs
Cmnd_Alias VAGRANT_EXPORTS_ADD = /usr/bin/tee -a /etc/exports
Cmnd_Alias VAGRANT_NFSD = /sbin/nfsd restart
Cmnd_Alias VAGRANT_EXPORTS_REMOVE = /usr/bin/sed -E -e /*/ d -ibak /etc/exports
%admin ALL=(root) NOPASSWD: VAGRANT_EXPORTS_ADD, VAGRANT_NFSD, VAGRANT_EXPORTS_REMOVE

[mbootsman]

I tried this, but no luck.
My sudoers looks like this:

#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# Allow passwordless startup of Vagrant when using NFS and vagrant-hostsupdater plugin
Cmnd_Alias VAGRANT_EXPORTS_ADD = /usr/bin/tee -a /etc/exports
Cmnd_Alias VAGRANT_NFSD = /sbin/nfsd restart
Cmnd_Alias VAGRANT_EXPORTS_REMOVE = /usr/bin/sed -E -e /*/ d -ibak /etc/exports
Cmnd_Alias VAGRANT_HOSTSUPDATER_ADD = /usr/bin/sh -c 'echo "*" >> /etc/hosts'
%admin ALL=(root) NOPASSWD: VAGRANT_EXPORTS_ADD, VAGRANT_NFSD, VAGRANT_EXPORTS_REMOVE, VAGRANT_HOSTSUPDATER_ADD

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d

[lukasluecke]

I just updated my answer with what I'm using now

[cgsmith]

This works on my machine. @mbootsman is it working for you now? What OS are you running?

[mbootsman]

@cgsmith Too bad it's not working for me. I'm using ubuntu 15.10.

[cgsmith]

@mbootsman I will test this out this week to see what might need to be tweaked. I remember some post referencing %sudo instead of admin. Maybe try that?

[EHLOVader]

Thanks for the update @lukasluecke I had recently been experiencing issues with the halt and removal of hosts file entries but your solution fixed that for me.

I have updated my fork of the install_vagrant_sudoers.sh script with this and also improved the reliability of the removal to prevent duplicates.

https://gist.github.com/EHLOVader/606f7c9f8717608527b8

[jazbek]

I am having the same issue, vagrant up errors out with:

/Users/jessica/.vagrant.d/gems/gems/vagrant-hostsupdater-1.0.1/lib/vagrant-hostsupdater/HostsUpdater.rb:85:ininitialize': Permission denied - /etc/hosts (Errno::EACCES)`

...unless I use sudo.

I have the following in my sudoers, but it doesn't seem to make a difference:

# vagrant-hostsupdater
Cmnd_Alias VAGRANT_HOSTS_ADD = /bin/sh -c echo "*" >> /etc/hosts
Cmnd_Alias VAGRANT_HOSTS_REMOVE = /usr/bin/sed -i -e /*/ d /etc/hosts
%admin ALL=(root) NOPASSWD: VAGRANT_HOSTS_ADD, VAGRANT_HOSTS_REMOVE
# end vagrant-hostsupdater

# vagrant-nfs
Cmnd_Alias VAGRANT_EXPORTS_ADD = /usr/bin/tee -a /etc/exports
Cmnd_Alias VAGRANT_NFSD = /sbin/nfsd restart
Cmnd_Alias VAGRANT_EXPORTS_REMOVE = /usr/bin/sed -E -e /*/ d -ibak /etc/exports
%admin ALL=(root) NOPASSWD: VAGRANT_EXPORTS_ADD, VAGRANT_NFSD, VAGRANT_EXPORTS_REMOVE
# end vagrant-nfs`

I am on OS X 10.8.5 (old, I know).

Seems like I am being affected by the ruby File.writeable bug I saw mentioned on another thread, because my password isn't being requested. https://bugs.ruby-lang.org/issues/4712 (not totally sure if it's the same bug, since that one is described as a windows bug).

Just wanted to post this in case it helps anyone, I have to stop using hostupdater because I don't want to use sudo for vagrant up. Cheers.

[EHLOVader]

@jazbek and any others running into this problem. It appears you might not have permissions to your /etc/hosts file....

Try using sudo once to assign those rights, you may find the sudoers patch you have then works.

sudo chmod +a "$USER allow write,append" /etc/hosts

via #47

[zxaos]

That did it for me, but it's bizarre - as far as I know nothing's changed and this seemed to just suddenly stop working.

[EHLOVader]

What version of OSX were you on @zxaos?
l didn't see it mentioned above. If you are on El Capitan the new "System Integrity Protection" is possibly at fault.

EDIT: nah, looks like that isn't a folder that is commonly protected. So who knows. Glad it worked for you, either way.

[zxaos]

I'm on El Capitan, but it's successfully worked on this version before. Additionally, I'm pretty sure the chmod command shouldn't fix it if it's SIP-related, because you can't modify SIP protected files, even with sudo (you have to reboot and turn SIP off to change them in any way).

[peterdewinter]

Same problem here and as sudden as others seem to mention. I'm on the latest OS X 10.11.2 (15C50).
It seems though you guys have a solution, but it's a little unclear to with al these comments.
Would it be possible to summarize the full work-around?

[lukasluecke]

Well my original solution is still working fine for me, even on the latest OS X 10.11.3 Beta - did you already try that? (Run visudo and paste the code blocks from my post)

[peterdewinter]

Hello lukaslueke the following works for me:

sudo chmod +a "$USER allow write,append" /etc/hosts

I did not need to change sudoers.

[lukasluecke]

Yeah this should work as well, but will allow any program you run to write to your hosts file which might be considered a security risk by some.

[NReilingh]

I'm on OS X 10.11.4 and I was having problems with the procedure in the readme. If I add the snippet to the TOP of the sudoers file, hostsupdater still asks for a password. But when I added the snippet to the BOTTOM of the file, it worked as desired.

I don't have the chops to discern why this is the case, but I think the readme should be updated once someone figures it out. Hopefully in the meantime anyone having trouble can try this out and see if it fixes the problem for them.

[anttimakela]

System Version: OS X 10.11.6
NReilingh's solution fixed mine. Second day, not asking for password anymore on vagrant up or halt. Just in case, I rebooted mac after moving code to bottom.