MacOS – None of the admin accounts are sudo users

administratormacossudoterminal

I have three admin accounts on one machine running El Capitan. The machine is a few days old. Whenever I try to run a sudo command, I'm asked for my password and told

accountUsername is not in the sudoers file.  This incident will be reported.

However, all the instructions I can find for adding a user to the sudoers file require having at least one user that has sudo privileges. I've tried

sudo visudo and sudo adduser username sudo – but obviously both of those require the user to be a sudo user.

I'm not sure how I ended up in sudo purgatory. The only thing I can think of is – my employer created two additional admin accounts and then removed admin rights from my original account.

All accounts have since been upgraded to have admin privileges and the problem still persists.

Best Answer

It sounds like your employer has disabled using sudo commands from any admin account, instead opting to include only specific users. This would mean only the employer's admin account would be able to use sudo. If you no longer have access to this account, you could boot into Single User Mode and run the visudo command to fix it. If they didn't remove the user from the sudoers list, you could also make a new admin account with the same shortname.

Related Solutions

MacOS – Sudoers file plist

You can cache AD credentials by creating a "mobile account" on each machine. From Directory Utility > Active Directory > open disclosure triangle > User Experience > Create mobile account at login. Although, I will warn you, I have had some permissions issues when 'creating a mobile account' after the home folder/user has already been created.

MacOS – How to fix this sudo permission issue – UID 503, should be 0 – El Capitan

Try to repair your sudoers file from Recovery Mode:

Boot to Recovery Mode by pressing cmdR while booting.
Open Terminal from the menubar -> Utilities
Enter cd "/Volumes/main_volume_name/private/etc". Replace main_volume_name by the real main volume's name (check diskutil list), keep any spaces and upper/lower case characters as they are. If you use quotation marks like in the command here you don't have to escape spaces with a \
Enter chmod 440 sudoers
Enter chown root:wheel sudoers

Check the file with cat sudoers. The default sudoers file should look like this:

## sudoers file.
##
## This file MUST be edited with the 'visudo' command as root.
## Failure to use 'visudo' may result in syntax or file permission errors
## that prevent sudo from running.
##
## See the sudoers man page for the details on how to write a sudoers file.
##

##
## Host alias specification
##
## Groups of machines. These may include host names (optionally with wildcards),
## IP addresses, network numbers or netgroups.
# Host_Alias    WEBSERVERS = www1, www2, www3

##
## User alias specification
##
## Groups of users.  These may consist of user names, uids, Unix groups,
## or netgroups.
# User_Alias    ADMINS = millert, dowdy, mikef

##
## Cmnd alias specification
##
## Groups of commands.  Often used to group related commands together.
# Cmnd_Alias    PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \
#               /usr/bin/pkill, /usr/bin/top

##
## Defaults specification
##

Defaults    env_reset
Defaults    env_keep += "BLOCKSIZE"
Defaults    env_keep += "COLORFGBG COLORTERM"
Defaults    env_keep += "__CF_USER_TEXT_ENCODING"
Defaults    env_keep += "CHARSET LANG LANGUAGE LC_ALL LC_COLLATE LC_CTYPE"
Defaults    env_keep += "LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME"
Defaults    env_keep += "LINES COLUMNS"
Defaults    env_keep += "LSCOLORS"
Defaults    env_keep += "SSH_AUTH_SOCK"
Defaults    env_keep += "TZ"
Defaults    env_keep += "DISPLAY XAUTHORIZATION XAUTHORITY"
Defaults    env_keep += "EDITOR VISUAL"
Defaults    env_keep += "HOME MAIL"

Defaults    lecture_file = "/etc/sudo_lecture"

##
## Runas alias specification
##

##
## User privilege specification
##
root ALL=(ALL) ALL
%admin  ALL=(ALL) ALL

## Uncomment to allow members of group wheel to execute any command
# %wheel ALL=(ALL) ALL

## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL

## Uncomment to allow members of group sudo to execute any command
# %sudo ALL=(ALL) ALL

## Uncomment to allow any user to run sudo if they know the password
## of the user they are running the command as (root by default).
# Defaults targetpw  # Ask for the password of the target user
# ALL ALL=(ALL) ALL  # WARNING: only use this together with 'Defaults targetpw'

## Read drop-in files from /private/etc/sudoers.d
## (the '#' here does not indicate a comment)
#includedir /private/etc/sudoers.d

Since your sudoers file is very small (67 bytes) you are probably missing some or all content. You may have to add/replace at least the lines without a prepending "#":

Defaults    env_reset
Defaults    env_keep += "BLOCKSIZE"
Defaults    env_keep += "COLORFGBG COLORTERM"
Defaults    env_keep += "__CF_USER_TEXT_ENCODING"
Defaults    env_keep += "CHARSET LANG LANGUAGE LC_ALL LC_COLLATE LC_CTYPE"
Defaults    env_keep += "LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME"
Defaults    env_keep += "LINES COLUMNS"
Defaults    env_keep += "LSCOLORS"
Defaults    env_keep += "SSH_AUTH_SOCK"
Defaults    env_keep += "TZ"
Defaults    env_keep += "DISPLAY XAUTHORIZATION XAUTHORITY"
Defaults    env_keep += "EDITOR VISUAL"
Defaults    env_keep += "HOME MAIL"

Defaults    lecture_file = "/etc/sudo_lecture"

and

root ALL=(ALL) ALL
%admin  ALL=(ALL) ALL

with:

/Volumes/main_volume_name/usr/bin/nano /Volumes/main_volume_name/private/etc/sudoers

The file should finally contain at least the following content:

Defaults    env_reset
Defaults    env_keep += "BLOCKSIZE"
Defaults    env_keep += "COLORFGBG COLORTERM"
Defaults    env_keep += "__CF_USER_TEXT_ENCODING"
Defaults    env_keep += "CHARSET LANG LANGUAGE LC_ALL LC_COLLATE LC_CTYPE"
Defaults    env_keep += "LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME"
Defaults    env_keep += "LINES COLUMNS"
Defaults    env_keep += "LSCOLORS"
Defaults    env_keep += "SSH_AUTH_SOCK"
Defaults    env_keep += "TZ"
Defaults    env_keep += "DISPLAY XAUTHORIZATION XAUTHORITY"
Defaults    env_keep += "EDITOR VISUAL"
Defaults    env_keep += "HOME MAIL"

Defaults    lecture_file = "/etc/sudo_lecture"

root ALL=(ALL) ALL
%admin  ALL=(ALL) ALL

The file requires a trailing empty line! (Please don't simply copy the above because the last line here doesn't contain a new line but a zero-width space)

Boot to your main volume and log-in as an admin
Enter sudo xattr -c /etc/sudoers to remove the (false) attributes.
Restore the complete sudoers file with sudo visudo /etc/sudoers by editing in the above default sudoers' content
Finally the file info should reveal the following:
```
host:~ adminuser$ ls -laO /etc/sudoers
-r--r-----  1 root  wheel  compressed 2299 31 Jul  2015 /etc/sudoers
```
It hasn't to be compressed though and the date will obviously be different.

Best Answer

Related Solutions

MacOS – Sudoers file plist

MacOS – How to fix this sudo permission issue – UID 503, should be 0 – El Capitan

Related Question