How to Fix Broken Sudo on macOS

macospermissionsudo

Apparently I can't sudo on my Mac any more.

Piers-MacBook-Air:~ piersb$ sudo ls
Password:
Sorry, user piersb is not allowed to execute '/bin/ls' as root on Piers-MacBook-Air.local.
Piers-MacBook-Air:~ piersb$

It worked before the most recent El Capitan update (the upgrade to 10.11.4), and I'm on a mid-2013 MacBook Air. The account is an admin account, and I was able to sudo before then. My first thought was to add myself into /etc/sudoers but, haha, of course you need sudo for that.

Piers-MacBook-Air:~ piersb$ ls -al /etc/sudoers
-r--r-----  1 root  wheel  272  5 Apr 11:15 /etc/sudoers
Piers-MacBook-Air:~ piersb$ groups
staff com.apple.sharepoint.group.1 everyone localaccounts _appserverusr admin _appserveradm _lpadmin _appstore _lpoperator _developer com.apple.access_ftp com.apple.access_screensharing com.apple.access_ssh

I'm able to create a new admin user, but that user has the same problem.

Piers-MacBook-Air:~ testuser$ sudo ls

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.

Password:
Sorry, user testuser is not allowed to execute '/bin/ls' as root on 
Piers-MacBook-Air.local.

So. How do I give myself access to sudo again? And is this a common problem?

Best Answer

Looks like it only co-incidentally appeared at the 10.11.4 update; the problem was actually when I installed vagrant. Somewhere along the line either I or a script I used overwrote /etc/sudoers with the following rather than appending it:

Cmnd_Alias VAGRANT_EXPORTS_ADD = /usr/bin/tee -a /etc/exports
Cmnd_Alias VAGRANT_NFSD = /sbin/nfsd restart
Cmnd_Alias VAGRANT_EXPORTS_REMOVE = /usr/bin/sed -E -e /*/ d -ibak /etc/exports
%admin ALL=(root) NOPASSWD: VAGRANT_EXPORTS_ADD, VAGRANT_NFSD, VAGRANT_EXPORTS_REMOVE

So /etc/sudoers was toast. Here's how to fix it if this happens to you.

Go to System Preferences
Go to Users & Groups
Click on the lock
Authenticate with an admin account
Choose Network Account Server: Join...
Click Open Directory Utility
Click on the lock
Authenticate with an admin account
Choose Edit / Enable Root User
Choose a root password
Open a Terminal
Type su
Type your root password and hit return
Type visudo

You should now be safely editing /etc/sudoers. Or at least as safely you as you can do anything while logged in as root.

Replace whatever nonsense you have in there with a properly safe file. Here's the one I used:

#
# This file MUST be edited with the 'visudo' command as root.
# Failure to use 'visudo' may result in syntax or file permission errors
# that prevent sudo from running.
#
# See the sudoers man page for the details on how to write a sudoers file.
#

# Host alias specification

# User alias specification

# Cmnd alias specification

# Defaults specification
Defaults    env_reset
Defaults    env_keep += "BLOCKSIZE"
Defaults    env_keep += "COLORFGBG COLORTERM"
Defaults    env_keep += "__CF_USER_TEXT_ENCODING"
Defaults    env_keep += "CHARSET LANG LANGUAGE LC_ALL LC_COLLATE LC_CTYPE"
Defaults    env_keep += "LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME"
Defaults    env_keep += "LINES COLUMNS"
Defaults    env_keep += "LSCOLORS"
Defaults    env_keep += "SSH_AUTH_SOCK"
Defaults    env_keep += "TZ"
Defaults    env_keep += "DISPLAY XAUTHORIZATION XAUTHORITY"
Defaults    env_keep += "EDITOR VISUAL"
Defaults    env_keep += "HOME MAIL"

# Runas alias specification

# User privilege specification
root    ALL=(ALL) ALL
%admin  ALL=(ALL) ALL

# Uncomment to allow people in group wheel to run all commands
# %wheel    ALL=(ALL) ALL

# Same thing without a password
# %wheel    ALL=(ALL) NOPASSWD: ALL

# Samples
# %users  ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users  localhost=/sbin/shutdown -h now

Hit ESC, then type :wq! to save and quit the file
type exit to get out of the root shell
Go back to Directory Utilities
Choose Edit/Disable Root User

And - huzzah! - your sudo command should be back up-and-running again.

Configuration

To configure sudo, you must edit its configuration file via: visudo. Note: this command will open the configuration using the vi text editor, if you are unconfortable with that, you need to set another editor (using export EDITOR=<command>) before executing the following line. Another command line editor sometimes regarded as easier is nano, so you would do export EDITOR=/usr/bin/nano. You usually need super user privilege for visudo:

sudo visudo

This file is structured in different section, the aliases, then defaults and finally at the end you have the rules. This is where you need to add the new line. So you navigate at the end of the file and add this:

user1    ALL=(user2) NOPASSWD: /bin/bash

You can replace also /bin/bash by ALL and then you could launch any command as user2 without a password: sudo -u user2 <command>.

If you want to be able to switch to any user just use

user1    ALL=(ALL) NOPASSWD: /bin/bash

Update

I have just seen your comment regarding Skype. You could consider adding Skype directly to the sudo's configuration file. I assume you have Skype installed in your Applications folder:

user1    ALL=(user2) NOPASSWD: /Applications/Skype.app/Contents/MacOS/Skype

Then you would call from the terminal:

sudo -u user2 /Applications/Skype.app/Contents/MacOS/Skype

Best Answer

Related Solutions

Sudo with Sidekick

Allow Sudo to Another User Without Password – How to

Configuration

Update

Related Question