How do I fix this sudo permission issue - UID 503, should be 0 - El Capitan

macos sudo

Whenever I try any sudo command whatsoever in terminal, I get the following error message:

sudo: /etc/sudoers is owned by uid 503, should be 0
sudo: no valid sudoers sources found, quitting

I have tried logging into single user mode and typing in the following commands:

mount -uw

chown /private/etc/sudoers 0

After typing in the chown ownership line, I get an error message saying “illegal username”.

Other things I have tried:

  • Reinstalling the OS X (El Capitan)
  • Disabling System Integrity Protection (SIP).
  • Calling Apple Care who say that sudo commands have been disabled in El Capitan.
  • Logging in under Single User mode and typing in the following code:
    chown root:wheel /private/etc/sudoers This produced the error message “Operation Not Permitted” in my Standard, Admin, and Root accounts. The error message “Read-Only File System” came up when I logged in in Single User Mode.

FYI

When I run ls -la /private/etc/sudoers in Terminal, I get the following:

-rw-r-----@ 1 MY-ADMIN-USERNAME staff 67 18 Feb 14:03 /private/etc/sudoers

Note I’ve replaced my actual admin username with “MY-ADMIN-USERNAME” just so you know what’s showing.

I need sudo commands to work for a range of reasons, one of which is to get CrashPlan to work.

My hardware is a 2010 iMac, 3.2GHZ, 16GB Ram and 500GB SSD which was installed about a year ago.

These problems have only come up with El Capitan. I didn’t have them in the past with Yosemite.

Looking around online, I can see the many people have had similar issues but the resolutions unfortunately have not worked for me.


Solution 1:

Try to repair your sudoers file from Recovery Mode:

  • Boot to Recovery Mode by pressing cmdR while booting.
  • Open Terminal from the menubar -> Utilities
  • Enter cd "/Volumes/main_volume_name/private/etc". Replace main_volume_name by the real main volume's name (check diskutil list), keep any spaces and upper/lower case characters as they are. If you use quotation marks like in the command here you don't have to escape spaces with a \
  • Enter chmod 440 sudoers
  • Enter chown root:wheel sudoers

  • Check the file with cat sudoers. The default sudoers file should look like this:

    ## sudoers file.
##
## This file MUST be edited with the 'visudo' command as root.
## Failure to use 'visudo' may result in syntax or file permission errors
## that prevent sudo from running.
##
## See the sudoers man page for the details on how to write a sudoers file.
##

##
## Host alias specification
##
## Groups of machines. These may include host names (optionally with wildcards),
## IP addresses, network numbers or netgroups.
# Host_Alias    WEBSERVERS = www1, www2, www3

##
## User alias specification
##
## Groups of users.  These may consist of user names, uids, Unix groups,
## or netgroups.
# User_Alias    ADMINS = millert, dowdy, mikef

##
## Cmnd alias specification
##
## Groups of commands.  Often used to group related commands together.
# Cmnd_Alias    PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \
#               /usr/bin/pkill, /usr/bin/top

##
## Defaults specification
##

Defaults    env_reset
Defaults    env_keep += "BLOCKSIZE"
Defaults    env_keep += "COLORFGBG COLORTERM"
Defaults    env_keep += "__CF_USER_TEXT_ENCODING"
Defaults    env_keep += "CHARSET LANG LANGUAGE LC_ALL LC_COLLATE LC_CTYPE"
Defaults    env_keep += "LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME"
Defaults    env_keep += "LINES COLUMNS"
Defaults    env_keep += "LSCOLORS"
Defaults    env_keep += "SSH_AUTH_SOCK"
Defaults    env_keep += "TZ"
Defaults    env_keep += "DISPLAY XAUTHORIZATION XAUTHORITY"
Defaults    env_keep += "EDITOR VISUAL"
Defaults    env_keep += "HOME MAIL"

Defaults    lecture_file = "/etc/sudo_lecture"

##
## Runas alias specification
##

##
## User privilege specification
##
root ALL=(ALL) ALL
%admin  ALL=(ALL) ALL

## Uncomment to allow members of group wheel to execute any command
# %wheel ALL=(ALL) ALL

## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL

## Uncomment to allow members of group sudo to execute any command
# %sudo ALL=(ALL) ALL

## Uncomment to allow any user to run sudo if they know the password
## of the user they are running the command as (root by default).
# Defaults targetpw  # Ask for the password of the target user
# ALL ALL=(ALL) ALL  # WARNING: only use this together with 'Defaults targetpw'

## Read drop-in files from /private/etc/sudoers.d
## (the '#' here does not indicate a comment)
#includedir /private/etc/sudoers.d

    Since your sudoers file is very small (67 bytes) you are probably missing some or all content. You may have to add/replace at least the lines without a prepending "#":

    Defaults    env_reset
Defaults    env_keep += "BLOCKSIZE"
Defaults    env_keep += "COLORFGBG COLORTERM"
Defaults    env_keep += "__CF_USER_TEXT_ENCODING"
Defaults    env_keep += "CHARSET LANG LANGUAGE LC_ALL LC_COLLATE LC_CTYPE"
Defaults    env_keep += "LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME"
Defaults    env_keep += "LINES COLUMNS"
Defaults    env_keep += "LSCOLORS"
Defaults    env_keep += "SSH_AUTH_SOCK"
Defaults    env_keep += "TZ"
Defaults    env_keep += "DISPLAY XAUTHORIZATION XAUTHORITY"
Defaults    env_keep += "EDITOR VISUAL"
Defaults    env_keep += "HOME MAIL"

Defaults    lecture_file = "/etc/sudo_lecture"

    and 

    root ALL=(ALL) ALL
%admin  ALL=(ALL) ALL

    with: 

    /Volumes/main_volume_name/usr/bin/nano /Volumes/main_volume_name/private/etc/sudoers

    The file should finally contain at least the following content:

    Defaults    env_reset
Defaults    env_keep += "BLOCKSIZE"
Defaults    env_keep += "COLORFGBG COLORTERM"
Defaults    env_keep += "__CF_USER_TEXT_ENCODING"
Defaults    env_keep += "CHARSET LANG LANGUAGE LC_ALL LC_COLLATE LC_CTYPE"
Defaults    env_keep += "LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME"
Defaults    env_keep += "LINES COLUMNS"
Defaults    env_keep += "LSCOLORS"
Defaults    env_keep += "SSH_AUTH_SOCK"
Defaults    env_keep += "TZ"
Defaults    env_keep += "DISPLAY XAUTHORIZATION XAUTHORITY"
Defaults    env_keep += "EDITOR VISUAL"
Defaults    env_keep += "HOME MAIL"

Defaults    lecture_file = "/etc/sudo_lecture"

root ALL=(ALL) ALL
%admin  ALL=(ALL) ALL
​

    The file requires a trailing empty line! (Please don't simply copy the above because the last line here doesn't contain a new line but a zero-width space)

  • Boot to your main volume and log-in as an admin

  • Enter sudo xattr -c /etc/sudoers to remove the (false) attributes.
  • Restore the complete sudoers file with sudo visudo /etc/sudoers by editing in the above default sudoers' content

  • Finally the file info should reveal the following:

    host:~ adminuser$ ls -laO /etc/sudoers
-r--r-----  1 root  wheel  compressed 2299 31 Jul  2015 /etc/sudoers

    It hasn't to be compressed though and the date will obviously be different.

Related

Can I remove user's home directory folders?
System slowness: How to disable or short-circuit tccd in Mojave? (slows app & subprocess startup)
Is there a way to play 5.1 surround via Apple TV?
How to download pre-built binaries from MacPorts without installing?
How to edit Symbolic Links in OS X?
TrackPad Speed and Mouse Speed - Resets to slow every time
Unable to create Mobile Account on AD Connected Mavericks Machine
Why can't I install Xcode 4.4 on Mountain Lion?
Unlock with Apple Watch on Sierra not working
Can I view a list of applications currently running background jobs in iOS?
Can Mac OS X Messages support more than one apple id?
macOS Sierra: parsecd keyboardInputMode property not set, using <private>