Fixing /etc/sudoers file

I'm a systems admin for a company and was thrown into a horribly configured server. In the midst of my refactoring I was adding users to my /etc/sudoers file. I seem to have accidentally removed my server admin account from the sudoers file access.

I know what I did wrong (i accidentally commented out the %admin line) question being, how can I reinstate my server admin access in the file without having to restart anything.

Here's how it looks right now:

##
## User privilege specification
##
root ALL=(ALL) ALL
#%admin  ALL=(ALL) ALL
%superuser ALL=(ALL) ALL
"user1" ALL=(ALL) ALL
"user2" ALL=(ALL) ALL

Also note that my users do not have permission for sudo for some reason:

Realtor-Station-3-27:~ user1$ sudo -i

WARNING: Improper use of the sudo command could lead to data loss
or the deletion of important system files. Please double-check your
typing when using sudo. Type "man sudo" for more information.

To proceed, enter your password, or type Ctrl-C to abort.

Password:
user1 is not in the sudoers file.  This incident will be reported.
Realtor-Station-3-27:~ user1$ 

If you have access to finder and a system administrator account, you can fix this without a reboot by leveraging these.

Open up your finder and go to /etc. In here, you can view the details of the sudoers file, including permissions - screenshot below.

screenshot showing where to change permissions on the sudoers file in Finder

Change the permissions for "everyone" here to Read & Write.

At this time, you can edit yourself back into the file with any text editor. You will have to return permissions for "everyone" back to No Access before sudo will allow you to perform a sudo.


Once you get things working again, you should make sure these lines exists at the bottom of your /etc/sudoers file:

## Read drop-in files from /private/etc/sudoers.d
## (the '#' here does not indicate a comment)
#includedir /private/etc/sudoers.d

Then make sure that you have a /etc/sudoers.d/ directory. This is how mine looks:

> ls -ld /etc/sudoers.d
drwxr-xr-x 3 root wheel 96 Jul 31 20:59 /etc/sudoers.d/

Now you can effectively make changes to the sudoers file by adding a new file into the /etc/sudoers.d/ folder. For example, I named mine tjluoma so the file /etc/sudoers.d/tjluoma (note the lack of filename extension, which seems to be a requirement) has my modifications to sudoers but I don’t risk causing global problems to sudo if there is a syntax error.

You can verify that your personal sudoers file is being read by using sudo visudo -c which will list all of the files that sudo will use, as shown here:

> sudo visudo -c
/etc/sudoers: parsed OK
/private/etc/sudoers.d/tjluoma: parsed OK

(Note that /private/etc/sudoers.d/ and /etc/sudoers.d/ refer to the same folder.)

Of course the best way to make changes to /etc/sudoers or your personal sudoers file is with sudo visudo or sudo visudo -f /private/etc/sudoers.d/tjluoma because it will check the syntax as part of the process of editing / saving, but we’ve all probably been guilty of not following that step 😀


I was unsuccessful in replacing the /etc/sudoers file with a fresh new file and changing its permission to root:wheel and 0440.

Finally I had to go to Recovery Mode (restart → ⌘ CommandR)

  1. Mount Macintosh HD through Disk Utility
  2. Go to Terminal through Utilities
  3. cd /Macintosh HD/private/etc
  4. Edit sudoers file to correct the mistakes.
  5. Save and change permissions if needed. sudoers file needs root:wheel. If its not, sudo won't be run. chown root:wheel sudoers
  6. I had also changed the permissions with chmod 0440 sudoers since I initially removed sudoers and created a fresh copy when I was logged in.