MacOS – How to fix this sudo permission issue – UID 503, should be 0 – El Capitan

macossudo

Whenever I try any sudo command whatsoever in terminal, I get the following error message:

sudo: /etc/sudoers is owned by uid 503, should be 0
sudo: no valid sudoers sources found, quitting

I have tried logging into single user mode and typing in the following commands:

mount -uw

chown /private/etc/sudoers 0

After typing in the chown ownership line, I get an error message saying “illegal username”.

Other things I have tried:

Reinstalling the OS X (El Capitan)
Disabling System Integrity Protection (SIP).
Calling Apple Care who say that sudo commands have been disabled in El Capitan.
Logging in under Single User mode and typing in the following code:
chown root:wheel /private/etc/sudoers This produced the error message “Operation Not Permitted” in my Standard, Admin, and Root accounts.
The error message “Read-Only File System” came up when I logged in in Single User Mode.

FYI

When I run ls -la /private/etc/sudoers in Terminal, I get the following:

-rw-r-----@ 1 MY-ADMIN-USERNAME staff 67 18 Feb 14:03 /private/etc/sudoers

Note I’ve replaced my actual admin username with “MY-ADMIN-USERNAME” just so you know what’s showing.

I need sudo commands to work for a range of reasons, one of which is to get CrashPlan to work.

My hardware is a 2010 iMac, 3.2GHZ, 16GB Ram and 500GB SSD which was installed about a year ago.

These problems have only come up with El Capitan. I didn’t have them in the past with Yosemite.

Looking around online, I can see the many people have had similar issues but the resolutions unfortunately have not worked for me.

Best Answer

Try to repair your sudoers file from Recovery Mode:

Boot to Recovery Mode by pressing cmdR while booting.
Open Terminal from the menubar -> Utilities
Enter cd "/Volumes/main_volume_name/private/etc". Replace main_volume_name by the real main volume's name (check diskutil list), keep any spaces and upper/lower case characters as they are. If you use quotation marks like in the command here you don't have to escape spaces with a \
Enter chmod 440 sudoers
Enter chown root:wheel sudoers

Check the file with cat sudoers. The default sudoers file should look like this:

## sudoers file.
##
## This file MUST be edited with the 'visudo' command as root.
## Failure to use 'visudo' may result in syntax or file permission errors
## that prevent sudo from running.
##
## See the sudoers man page for the details on how to write a sudoers file.
##

##
## Host alias specification
##
## Groups of machines. These may include host names (optionally with wildcards),
## IP addresses, network numbers or netgroups.
# Host_Alias    WEBSERVERS = www1, www2, www3

##
## User alias specification
##
## Groups of users.  These may consist of user names, uids, Unix groups,
## or netgroups.
# User_Alias    ADMINS = millert, dowdy, mikef

##
## Cmnd alias specification
##
## Groups of commands.  Often used to group related commands together.
# Cmnd_Alias    PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \
#               /usr/bin/pkill, /usr/bin/top

##
## Defaults specification
##

Defaults    env_reset
Defaults    env_keep += "BLOCKSIZE"
Defaults    env_keep += "COLORFGBG COLORTERM"
Defaults    env_keep += "__CF_USER_TEXT_ENCODING"
Defaults    env_keep += "CHARSET LANG LANGUAGE LC_ALL LC_COLLATE LC_CTYPE"
Defaults    env_keep += "LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME"
Defaults    env_keep += "LINES COLUMNS"
Defaults    env_keep += "LSCOLORS"
Defaults    env_keep += "SSH_AUTH_SOCK"
Defaults    env_keep += "TZ"
Defaults    env_keep += "DISPLAY XAUTHORIZATION XAUTHORITY"
Defaults    env_keep += "EDITOR VISUAL"
Defaults    env_keep += "HOME MAIL"

Defaults    lecture_file = "/etc/sudo_lecture"

##
## Runas alias specification
##

##
## User privilege specification
##
root ALL=(ALL) ALL
%admin  ALL=(ALL) ALL

## Uncomment to allow members of group wheel to execute any command
# %wheel ALL=(ALL) ALL

## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL

## Uncomment to allow members of group sudo to execute any command
# %sudo ALL=(ALL) ALL

## Uncomment to allow any user to run sudo if they know the password
## of the user they are running the command as (root by default).
# Defaults targetpw  # Ask for the password of the target user
# ALL ALL=(ALL) ALL  # WARNING: only use this together with 'Defaults targetpw'

## Read drop-in files from /private/etc/sudoers.d
## (the '#' here does not indicate a comment)
#includedir /private/etc/sudoers.d

Since your sudoers file is very small (67 bytes) you are probably missing some or all content. You may have to add/replace at least the lines without a prepending "#":

Defaults    env_reset
Defaults    env_keep += "BLOCKSIZE"
Defaults    env_keep += "COLORFGBG COLORTERM"
Defaults    env_keep += "__CF_USER_TEXT_ENCODING"
Defaults    env_keep += "CHARSET LANG LANGUAGE LC_ALL LC_COLLATE LC_CTYPE"
Defaults    env_keep += "LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME"
Defaults    env_keep += "LINES COLUMNS"
Defaults    env_keep += "LSCOLORS"
Defaults    env_keep += "SSH_AUTH_SOCK"
Defaults    env_keep += "TZ"
Defaults    env_keep += "DISPLAY XAUTHORIZATION XAUTHORITY"
Defaults    env_keep += "EDITOR VISUAL"
Defaults    env_keep += "HOME MAIL"

Defaults    lecture_file = "/etc/sudo_lecture"

and

root ALL=(ALL) ALL
%admin  ALL=(ALL) ALL

with:

/Volumes/main_volume_name/usr/bin/nano /Volumes/main_volume_name/private/etc/sudoers

The file should finally contain at least the following content:

Defaults    env_reset
Defaults    env_keep += "BLOCKSIZE"
Defaults    env_keep += "COLORFGBG COLORTERM"
Defaults    env_keep += "__CF_USER_TEXT_ENCODING"
Defaults    env_keep += "CHARSET LANG LANGUAGE LC_ALL LC_COLLATE LC_CTYPE"
Defaults    env_keep += "LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME"
Defaults    env_keep += "LINES COLUMNS"
Defaults    env_keep += "LSCOLORS"
Defaults    env_keep += "SSH_AUTH_SOCK"
Defaults    env_keep += "TZ"
Defaults    env_keep += "DISPLAY XAUTHORIZATION XAUTHORITY"
Defaults    env_keep += "EDITOR VISUAL"
Defaults    env_keep += "HOME MAIL"

Defaults    lecture_file = "/etc/sudo_lecture"

root ALL=(ALL) ALL
%admin  ALL=(ALL) ALL

The file requires a trailing empty line! (Please don't simply copy the above because the last line here doesn't contain a new line but a zero-width space)

Boot to your main volume and log-in as an admin
Enter sudo xattr -c /etc/sudoers to remove the (false) attributes.
Restore the complete sudoers file with sudo visudo /etc/sudoers by editing in the above default sudoers' content
Finally the file info should reveal the following:
```
host:~ adminuser$ ls -laO /etc/sudoers
-r--r-----  1 root  wheel  compressed 2299 31 Jul  2015 /etc/sudoers
```
It hasn't to be compressed though and the date will obviously be different.

Related Solutions

MacOS – Mavericks: User no longer owner of Home folder and content

An erroneous extended attribute has been applied to this directory somehow, but it can only be removed using the xattr Terminal command. You should take a look at a brief explanation here. A more detailed question and answer can be found at this StackOverflow page.

MacOS – I broke sudo – how to fix it

Looks like it only co-incidentally appeared at the 10.11.4 update; the problem was actually when I installed vagrant. Somewhere along the line either I or a script I used overwrote /etc/sudoers with the following rather than appending it:

Cmnd_Alias VAGRANT_EXPORTS_ADD = /usr/bin/tee -a /etc/exports
Cmnd_Alias VAGRANT_NFSD = /sbin/nfsd restart
Cmnd_Alias VAGRANT_EXPORTS_REMOVE = /usr/bin/sed -E -e /*/ d -ibak /etc/exports
%admin ALL=(root) NOPASSWD: VAGRANT_EXPORTS_ADD, VAGRANT_NFSD, VAGRANT_EXPORTS_REMOVE

So /etc/sudoers was toast. Here's how to fix it if this happens to you.

Go to System Preferences
Go to Users & Groups
Click on the lock
Authenticate with an admin account
Choose Network Account Server: Join...
Click Open Directory Utility
Click on the lock
Authenticate with an admin account
Choose Edit / Enable Root User
Choose a root password
Open a Terminal
Type su
Type your root password and hit return
Type visudo

You should now be safely editing /etc/sudoers. Or at least as safely you as you can do anything while logged in as root.

Replace whatever nonsense you have in there with a properly safe file. Here's the one I used:

#
# This file MUST be edited with the 'visudo' command as root.
# Failure to use 'visudo' may result in syntax or file permission errors
# that prevent sudo from running.
#
# See the sudoers man page for the details on how to write a sudoers file.
#

# Host alias specification

# User alias specification

# Cmnd alias specification

# Defaults specification
Defaults    env_reset
Defaults    env_keep += "BLOCKSIZE"
Defaults    env_keep += "COLORFGBG COLORTERM"
Defaults    env_keep += "__CF_USER_TEXT_ENCODING"
Defaults    env_keep += "CHARSET LANG LANGUAGE LC_ALL LC_COLLATE LC_CTYPE"
Defaults    env_keep += "LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME"
Defaults    env_keep += "LINES COLUMNS"
Defaults    env_keep += "LSCOLORS"
Defaults    env_keep += "SSH_AUTH_SOCK"
Defaults    env_keep += "TZ"
Defaults    env_keep += "DISPLAY XAUTHORIZATION XAUTHORITY"
Defaults    env_keep += "EDITOR VISUAL"
Defaults    env_keep += "HOME MAIL"

# Runas alias specification

# User privilege specification
root    ALL=(ALL) ALL
%admin  ALL=(ALL) ALL

# Uncomment to allow people in group wheel to run all commands
# %wheel    ALL=(ALL) ALL

# Same thing without a password
# %wheel    ALL=(ALL) NOPASSWD: ALL

# Samples
# %users  ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users  localhost=/sbin/shutdown -h now

Hit ESC, then type :wq! to save and quit the file
type exit to get out of the root shell
Go back to Directory Utilities
Choose Edit/Disable Root User

And - huzzah! - your sudo command should be back up-and-running again.