Fixing /etc/sudoers file
I'm a systems admin for a company and was thrown into a horribly configured server. In the midst of my refactoring I was adding users to my /etc/sudoers file. I seem to have accidentally removed my server admin account from the sudoers file access.
I know what I did wrong (i accidentally commented out the %admin line) question being, how can I reinstate my server admin access in the file without having to restart anything.
Here's how it looks right now:
##
## User privilege specification
##
root ALL=(ALL) ALL
#%admin ALL=(ALL) ALL
%superuser ALL=(ALL) ALL
"user1" ALL=(ALL) ALL
"user2" ALL=(ALL) ALL
Also note that my users do not have permission for sudo for some reason:
Realtor-Station-3-27:~ user1$ sudo -i
WARNING: Improper use of the sudo command could lead to data loss
or the deletion of important system files. Please double-check your
typing when using sudo. Type "man sudo" for more information.
To proceed, enter your password, or type Ctrl-C to abort.
Password:
user1 is not in the sudoers file. This incident will be reported.
Realtor-Station-3-27:~ user1$
If you have access to finder and a system administrator account, you can fix this without a reboot by leveraging these.
Open up your finder and go to /etc. In here, you can view the details of the sudoers file, including permissions - screenshot below.
Change the permissions for "everyone" here to Read & Write.
At this time, you can edit yourself back into the file with any text editor. You will have to return permissions for "everyone" back to No Access before sudo will allow you to perform a sudo.
Once you get things working again, you should make sure these lines exists at the bottom of your /etc/sudoers file:
## Read drop-in files from /private/etc/sudoers.d
## (the '#' here does not indicate a comment)
#includedir /private/etc/sudoers.d
Then make sure that you have a /etc/sudoers.d/ directory. This is how mine looks:
> ls -ld /etc/sudoers.d
drwxr-xr-x 3 root wheel 96 Jul 31 20:59 /etc/sudoers.d/
Now you can effectively make changes to the sudoers file by adding a new file into the /etc/sudoers.d/ folder. For example, I named mine tjluoma so the file /etc/sudoers.d/tjluoma (note the lack of filename extension, which seems to be a requirement) has my modifications to sudoers but I don’t risk causing global problems to sudo if there is a syntax error.
You can verify that your personal sudoers file is being read by using sudo visudo -c which will list all of the files that sudo will use, as shown here:
> sudo visudo -c
/etc/sudoers: parsed OK
/private/etc/sudoers.d/tjluoma: parsed OK
(Note that /private/etc/sudoers.d/ and /etc/sudoers.d/ refer to the same folder.)
Of course the best way to make changes to /etc/sudoers or your personal sudoers file is with sudo visudo or sudo visudo -f /private/etc/sudoers.d/tjluoma because it will check the syntax as part of the process of editing / saving, but we’ve all probably been guilty of not following that step 😀
I was unsuccessful in replacing the /etc/sudoers file with a fresh new file and changing its permission to root:wheel and 0440.
Finally I had to go to Recovery Mode (restart → ⌘ CommandR)
- Mount Macintosh HD through Disk Utility
- Go to Terminal through Utilities
cd /Macintosh HD/private/etc- Edit
sudoersfile to correct the mistakes. - Save and change permissions if needed.
sudoersfile needsroot:wheel. If its not,sudowon't be run.chown root:wheel sudoers - I had also changed the permissions with
chmod 0440 sudoerssince I initially removedsudoersand created a fresh copy when I was logged in.