How do I fix this sudo permission issue - UID 503, should be 0 - El Capitan

Whenever I try any sudo command whatsoever in terminal, I get the following error message:

sudo: /etc/sudoers is owned by uid 503, should be 0
sudo: no valid sudoers sources found, quitting

I have tried logging into single user mode and typing in the following commands:

mount -uw

chown /private/etc/sudoers 0

After typing in the chown ownership line, I get an error message saying “illegal username”.

Other things I have tried:

  • Reinstalling the OS X (El Capitan)
  • Disabling System Integrity Protection (SIP).
  • Calling Apple Care who say that sudo commands have been disabled in El Capitan.
  • Logging in under Single User mode and typing in the following code:
    chown root:wheel /private/etc/sudoers This produced the error message “Operation Not Permitted” in my Standard, Admin, and Root accounts. The error message “Read-Only File System” came up when I logged in in Single User Mode.

FYI

When I run ls -la /private/etc/sudoers in Terminal, I get the following:

-rw-r-----@ 1 MY-ADMIN-USERNAME staff 67 18 Feb 14:03 /private/etc/sudoers

Note I’ve replaced my actual admin username with “MY-ADMIN-USERNAME” just so you know what’s showing.

I need sudo commands to work for a range of reasons, one of which is to get CrashPlan to work.

My hardware is a 2010 iMac, 3.2GHZ, 16GB Ram and 500GB SSD which was installed about a year ago.

These problems have only come up with El Capitan. I didn’t have them in the past with Yosemite.

Looking around online, I can see the many people have had similar issues but the resolutions unfortunately have not worked for me.


Solution 1:

Try to repair your sudoers file from Recovery Mode:

  • Boot to Recovery Mode by pressing cmdR while booting.
  • Open Terminal from the menubar -> Utilities
  • Enter cd "/Volumes/main_volume_name/private/etc". Replace main_volume_name by the real main volume's name (check diskutil list), keep any spaces and upper/lower case characters as they are. If you use quotation marks like in the command here you don't have to escape spaces with a \
  • Enter chmod 440 sudoers
  • Enter chown root:wheel sudoers
  • Check the file with cat sudoers. The default sudoers file should look like this:

    ## sudoers file.
    ##
    ## This file MUST be edited with the 'visudo' command as root.
    ## Failure to use 'visudo' may result in syntax or file permission errors
    ## that prevent sudo from running.
    ##
    ## See the sudoers man page for the details on how to write a sudoers file.
    ##
    
    ##
    ## Host alias specification
    ##
    ## Groups of machines. These may include host names (optionally with wildcards),
    ## IP addresses, network numbers or netgroups.
    # Host_Alias    WEBSERVERS = www1, www2, www3
    
    ##
    ## User alias specification
    ##
    ## Groups of users.  These may consist of user names, uids, Unix groups,
    ## or netgroups.
    # User_Alias    ADMINS = millert, dowdy, mikef
    
    ##
    ## Cmnd alias specification
    ##
    ## Groups of commands.  Often used to group related commands together.
    # Cmnd_Alias    PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \
    #               /usr/bin/pkill, /usr/bin/top
    
    ##
    ## Defaults specification
    ##
    
    Defaults    env_reset
    Defaults    env_keep += "BLOCKSIZE"
    Defaults    env_keep += "COLORFGBG COLORTERM"
    Defaults    env_keep += "__CF_USER_TEXT_ENCODING"
    Defaults    env_keep += "CHARSET LANG LANGUAGE LC_ALL LC_COLLATE LC_CTYPE"
    Defaults    env_keep += "LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME"
    Defaults    env_keep += "LINES COLUMNS"
    Defaults    env_keep += "LSCOLORS"
    Defaults    env_keep += "SSH_AUTH_SOCK"
    Defaults    env_keep += "TZ"
    Defaults    env_keep += "DISPLAY XAUTHORIZATION XAUTHORITY"
    Defaults    env_keep += "EDITOR VISUAL"
    Defaults    env_keep += "HOME MAIL"
    
    Defaults    lecture_file = "/etc/sudo_lecture"
    
    ##
    ## Runas alias specification
    ##
    
    ##
    ## User privilege specification
    ##
    root ALL=(ALL) ALL
    %admin  ALL=(ALL) ALL
    
    ## Uncomment to allow members of group wheel to execute any command
    # %wheel ALL=(ALL) ALL
    
    ## Same thing without a password
    # %wheel ALL=(ALL) NOPASSWD: ALL
    
    ## Uncomment to allow members of group sudo to execute any command
    # %sudo ALL=(ALL) ALL
    
    ## Uncomment to allow any user to run sudo if they know the password
    ## of the user they are running the command as (root by default).
    # Defaults targetpw  # Ask for the password of the target user
    # ALL ALL=(ALL) ALL  # WARNING: only use this together with 'Defaults targetpw'
    
    ## Read drop-in files from /private/etc/sudoers.d
    ## (the '#' here does not indicate a comment)
    #includedir /private/etc/sudoers.d
    

    Since your sudoers file is very small (67 bytes) you are probably missing some or all content. You may have to add/replace at least the lines without a prepending "#":

    Defaults    env_reset
    Defaults    env_keep += "BLOCKSIZE"
    Defaults    env_keep += "COLORFGBG COLORTERM"
    Defaults    env_keep += "__CF_USER_TEXT_ENCODING"
    Defaults    env_keep += "CHARSET LANG LANGUAGE LC_ALL LC_COLLATE LC_CTYPE"
    Defaults    env_keep += "LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME"
    Defaults    env_keep += "LINES COLUMNS"
    Defaults    env_keep += "LSCOLORS"
    Defaults    env_keep += "SSH_AUTH_SOCK"
    Defaults    env_keep += "TZ"
    Defaults    env_keep += "DISPLAY XAUTHORIZATION XAUTHORITY"
    Defaults    env_keep += "EDITOR VISUAL"
    Defaults    env_keep += "HOME MAIL"
    
    Defaults    lecture_file = "/etc/sudo_lecture"
    

    and

    root ALL=(ALL) ALL
    %admin  ALL=(ALL) ALL
    

    with:

    /Volumes/main_volume_name/usr/bin/nano /Volumes/main_volume_name/private/etc/sudoers
    

    The file should finally contain at least the following content:

    Defaults    env_reset
    Defaults    env_keep += "BLOCKSIZE"
    Defaults    env_keep += "COLORFGBG COLORTERM"
    Defaults    env_keep += "__CF_USER_TEXT_ENCODING"
    Defaults    env_keep += "CHARSET LANG LANGUAGE LC_ALL LC_COLLATE LC_CTYPE"
    Defaults    env_keep += "LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME"
    Defaults    env_keep += "LINES COLUMNS"
    Defaults    env_keep += "LSCOLORS"
    Defaults    env_keep += "SSH_AUTH_SOCK"
    Defaults    env_keep += "TZ"
    Defaults    env_keep += "DISPLAY XAUTHORIZATION XAUTHORITY"
    Defaults    env_keep += "EDITOR VISUAL"
    Defaults    env_keep += "HOME MAIL"
    
    Defaults    lecture_file = "/etc/sudo_lecture"
    
    root ALL=(ALL) ALL
    %admin  ALL=(ALL) ALL
    ​
    

    The file requires a trailing empty line! (Please don't simply copy the above because the last line here doesn't contain a new line but a zero-width space)

  • Boot to your main volume and log-in as an admin

  • Enter sudo xattr -c /etc/sudoers to remove the (false) attributes.
  • Restore the complete sudoers file with sudo visudo /etc/sudoers by editing in the above default sudoers' content
  • Finally the file info should reveal the following:

    host:~ adminuser$ ls -laO /etc/sudoers
    -r--r-----  1 root  wheel  compressed 2299 31 Jul  2015 /etc/sudoers
    

    It hasn't to be compressed though and the date will obviously be different.