How to execute a command with admin privileges and access to files of the logged in user?

I have some problems understanding sudo. I am logged in on a terminal as an non-admin/non-root user. This "normal" user is not in the sudoers file (and shouldnt be, in my opinion).

Now I try to execute a command that needs admin/root privileges and also access to directories of my normal user – therefore I am not able to simply su into an admin or root user.

In my understanding sudo -u root should do the trick – however it doesn't accept the password for root (or admin if I try with my normal admin user). It only accepts the password of the "normal" user which seems to indicate that the -u username option doesn't work the way I expect it to work.

My expectation is that sudo -u root some_command executes some_command with the privileges of root and therefore it asks also for the password of root. Obviously not.

TL;DR: How do I execute any command that requires admin privileges AND has access to the files of the "logged in (normal) user" without adding the normal user to the sudoers file?

I have enabled the root user under Mac OS X 10.7.


Solution 1:

sudo always requires the executing user's password (and requires that you have specific permissions to do this, i.e. are one of the sudoers).

su requires the password of the target account (root by default, but root account has no password on OS X by default). If you use su instead, you can enter the destination account's password and execute a command using that user's privileges.

su -c some_cmd # as root
su username -c some_cmd # as username

This works by passing all arguments after the user name to the destination account's login shell. Shells usually support -c <commands> arguments. In GNU coreutils su, there's an actual -c command argument to su that can be placed before the user name.


You can su to another user account (using the other user account's password), and sudo from there, provided that other account is a sudoer.

If you want neither to enter another account's password, nor give your regular account sudoers permissions, you're pretty much out of options unless you consider SSH with key authentication or something like that.

Solution 2:

Unless you really "need" to maintain a separate root user on Mac OS X, it's often much easier to just get a root shell using sudo -s

In your case, non-admin users are not included in /etc/sudoers - so you would have to add by hand the users/groups you intend to have sudo accept.

# User privilege specification
root    ALL=(ALL) ALL
%admin  ALL=(ALL) ALL

Once that's done, sudo will inherits almost all of the nice things from your shell like PATH and other variables, but elevates your non-admin user instantly to root. The downside of enabling root is time and the security risk of someone actually logging in locally or remotely as root.

Keep in mind, sudo is asking for the password of the user that logged in to the loginwindow screen. su - wants the password of the root account, sudo -s uses privilege escalation to use the current user's password to become root without needing any (or in your case, the actual) root password.

Solution 3:

If you are using a standard account (usually for security reasons) and you know an administrator username and password, you can do su -l admin_user. After entering the password, you are now, for all effects, acting as that administrator. Then you can sudo to your heart's content. Now, just logout to go back to your original plain account.