Why can I not use `sudo` as a `Standard` user in macOS?

I do most of the "work" I do on my Mac as a Standard user (Apple parlance for an unprivileged user). I also frequently use the CLI (zsh mostly now) via the Terminal app. I use MacPorts as a package manager, and various utilities such as find, rsync, launchctl, ip, mount, log, softwareupdate, etc etc etc. As it frequently happens, something I am trying to do from the CLI requires privilege elevation via the sudo command.

However: According to this document, it seems that Apple does not support the use of sudo by Standard users:

Only administrator users can use sudo. If you’re not logged in as an administrator, you can do so by entering the following command, where adminUsername is the name of an administrator user:

% su adminUsername

This seems clumsy and inconvenient: su and then sudo. It is also at odds with the way sudo works on other platforms I use. Of course macOS requires Admin user authentication to perform some tasks in the GUI, but this is generally not the way that sudo operates; i.e. any user may be granted privileges to perform specified tasks by the Admin user for the system.

I won't ask "why" Apple does it this way as that can only be an opinion here, but I will ask if there is a work-around - can sudo on macOS be made to work as it does on other platforms?


Solution 1:

sudo on macOS does work as it does on other platforms - at least through macOS 10.15.6:

If you, as a "Standard" user, want or need privileges to perform certain tasks, those privileges may be granted by the Admin user in the sudoers file. If you are both the Admin user, and the unprivileged StandardJoe user, this becomes a bit trite, but here's how it works:

% su AdminUser
# authentication, and then:
Adminuser %

Now, as Adminuser, use the visudo command to edit the sudoers file:

Adminuser % sudo visudo

This will open the sudoers file in an editor (perhaps pico). This next step is not the way things would be done on a multi-user system, but in this case as there's only one user, and we're trying to make a point, we'll abandon convention & 'throw caution to the wind' :)

Add the following line to the sudoers file:

StandardJoeUser ALL = (ALL) /usr/sbin/visudo

Save the file, and exit the editor. Then exit the Admin user's shell:

Adminuser % exit
%

What have we just done? We have given your StandardJoeUser user permission to make any changes he wishes to the sudoers file. With that permission, you - as StandardJoeUser - can add the privileges you need - or ALL the privileges available to the Admin user if you choose.

To continue as StandardJoeUser, we'll now grant him the same privileges under sudo as the Admin user has:

% sudo visudo
# authenticate with StandardJoeUser's password

Again, the sudoers file is opened in the editor. This time, add the following line just below the one added previously:

StandardJoeUser ALL = (ALL) ALL

Once again, save & exit. Now - StandardJoeUser can sudo anything - same as the Admin user. There is no need to change to the Admin user (su); you may sudo under your Standard user's credentials.

Debating the wisdom of this change could be classified as opinion under SE rules, so I'll stop here. The answer to the question should be clear enough now: Yes, sudo on macOS does work the same as on other platforms; it seems the document you referenced could be classified as inaccurate under some definition of the word.