Reclaim root access - High Sierra

macos terminal sudo high-sierra

I installed the Security Update 2020-001 for High Sierra. As a result of this, I am no longer able to use sudo. It just exits with the message

sudo: 4294967295: invalid value

As requested, here are the two id results:

> id $(whoami)
uid=501(my_username) gid=20(staff) groups=20(staff),12(everyone),
    61(localaccounts),79(_appserverusr),80(admin),81(_appserveradm),
    98(_lpadmin),701(com.apple.sharepoint.group.1),33(_appstore),
    100(_lpoperator),204(_developer),250(_analyticsusers),395(com.apple.access_ftp),
    398(com.apple.access_screensharing),399(com.apple.access_ssh)

> id root
uid=0(root) gid=0(wheel) groups=0(wheel),4294967295(nogroup)

The culprit seems to be root being in the nogroup group which has an "invalid" id.

Having a look at /etc/group, the group has an id of -1.

> grep nogroup /etc/group 
nogroup:*:-1:

Figured out how to list group memberships on macOS:

> dscl . read /Groups/nogroup
AppleMetaNodeLocation: /Local/Default
GeneratedUID: ABCDEFAB-CDEF-ABCD-EFAB-CDEFFFFFFFFF
Password: *
PrimaryGroupID: -1
RealName:
 No Group
RecordName: nogroup
RecordType: dsRecTypeStandard:Groups

The group does not have any members. And I don't seem to be able to find the root user on this system:

> dscl . read /Users/root
<dscl_cmd> DS Error: -14136 (eDSRecordNotFound)

New question: How do I remove root from the nogroup?


Solution 1:

While trying to enable the root user, I got the error

dsenableroot:: ***Failed to enable root user.

So I looked into that and found out thanks to an answer to Why would dsenableroot NOT work on a 10.7.5 OSX Server? that I had to check my root user in the file /private/var/db/dslocal/nodes/Default/users/root.plist.

Sadly, the file was missing. And this was the root cause of the problem: I didn't had a root user. After copying it from another macOS installation,

  • sudo started working again
  • id did no longer show the membership to nogroup
  • the command dscl . read /Users/root said that it finally found a user
  • and I was able to find root in the directory browser

Solution 2:

In my opinion this is related with root being member of No Group (nogroup, groupids: 4294967295 and -1!).

My root user was enabled before running the Security Update 2020-001 for High Sierra. I didn't encounter this problem.

Your question and additional details suggest that your root user wasn't enabled.

To follow the steps below you probably have to enable root first in Directory Utility > Edit > Enable Root User!

To remove root from the group No Group you have to open Directory Utility and unlock it:

enter image description here

Hit Directory Editor and navigate to Groups in node /Local/Default

Choose No Group and remove root from GroupMembership and FFFFEEEE-DDDD-CCCC-BBBB-AAAA00000000 (= root) from GroupMembers.

enter image description here

A reboot is not necessary.

I tested this the other way round by adding root/FFFFEEEE-DDDD-CCCC-BBBB-AAAA00000000 to the respective attributs.

With root being member of No Group I get the following result executing some sudo ... command:

host:~ user$ sudo ls
sudo: 4294967295,701,33,98,100,204,250,395,398,399: invalid value

After removing root from No Group sudo ... works as expected.

Related

Checking Certificates Meet Apple Requirements
Search a phrase using Spotlight
Keyboard shortcut for accessing address bar in Firefox
Exponential-like functions on fields other than $\mathbb R$
Functions between polynomial and exponential order
Extinction probability in a population with competition
A strange bijection without fixed points
Summation of $\sum_{n=0}^{\infty}a^nq^{n^2}$
Difficult coin weighing puzzle: 14 coins, 1 fake (heavier or lighter), 3 pre-determined weighings
An application of the Casey's theorem.
Avoid the planes - the geometry of grassmannians
Number of cards to be pulled