"/etc/sudoers is world writable” on Mac OS Mojave [duplicate]

Solution 1:

You can boot into single user mode by pressing Cmd-S on startup (see OS X: How to start up in single-user or verbose mode for details) which should give you a root shell. Then run

mount -uw /
chown root:wheel /etc/sudoers
chmod 440 /etc/sudoers
reboot

to fix the problem and restart.

Solution 2:

You can fix this via AppleScript, without needing to reboot, or even log out & back in, or an existing root shell, or... All you need is a valid administrator password.

Run this command:

osascript -e 'do shell script "chown root:wheel /etc/sudoers; chmod 440 /etc/sudoers; chmod -N /etc/sudoers" with administrator privileges'

...and then authenticate as an administrator when requested.

Explanation: this is a bit indirect. It uses the shell command osascript to run a short AppleScript that uses the do shell script command to run a short shell script. The reason for the shell->AppleScript->shell thing is to use the with administrator privileges option, which has much the same effect as sudo but will work even if /etc/sudoers is completely messed up.

Solution 3:

For macOS Mojave, here is what worked for me:

  1. Start up in recovery mode (Cmd+R during boot up)
  2. Disk Utilities > Select Macintosh HD, and Mount
  3. Close Disk Utilities
  4. Utilities > Terminal
  5. Type: chown root:wheel "/Volumes/Macintosh HD/etc/sudoers"
  6. Reboot

You may also need to change the ownership of ts, back in the Terminal:

sudo su
sudo chown -R root:wheel /var/db/sudo/ts/

Solution 4:

Yosemite and earlier OSX keeps info on what permissions system files (i.e. files the OS installs) should be. Apple's doc

To restore this use Disk Utility.app.
Select the boot volume (by default called Macintosh HD) on the left hand side.
Click the Verify or Repair Disk Permissions - the latter will reapply the stored permissions.

To edit sudoers in the future I would use visudo which checks that the edit is valid

re the root password you probably have not set it before - the idea of sudo is that you never need to use it and Apple disables root login by default

Solution 5:

  1. Open Directory Utility (/System/Library/CoreServices/).
  2. Click the lock icon to unlock it, then enter your administrator name and password.
  3. Do one of the following:

    • Choose Edit > Enable Root User, then enter a root user password in the Password and Verify fields.
    • Choose Edit > Change Root Password, then enter a new root user password. You don't need an old password
  4. Login to Root
  5. Modify sudoers with visudo like stated in the file:

    The original file looks like this:

    # sudoers file.
    #
    # This file MUST be edited with the 'visudo' command as root.
    # Failure to use 'visudo' may result in syntax or file permission errors
    # that prevent sudo from running.
    #
    # See the sudoers man page for the details on how to write a sudoers file.
    #
    
    # Host alias specification
    
    # User alias specification
    
    # Cmnd alias specification
    
    # Defaults specification
    Defaults    env_reset
    Defaults    env_keep += "BLOCKSIZE"
    Defaults    env_keep += "COLORFGBG COLORTERM"
    Defaults    env_keep += "__CF_USER_TEXT_ENCODING"
    Defaults    env_keep += "CHARSET LANG LANGUAGE LC_ALL LC_COLLATE LC_CTYPE"
    Defaults    env_keep += "LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME"
    Defaults    env_keep += "LINES COLUMNS"
    Defaults    env_keep += "LSCOLORS"
    Defaults    env_keep += "SSH_AUTH_SOCK"
    Defaults    env_keep += "TZ"
    Defaults    env_keep += "DISPLAY XAUTHORIZATION XAUTHORITY"
    Defaults    env_keep += "EDITOR VISUAL"
    Defaults    env_keep += "HOME MAIL"
    
    # Runas alias specification
    
    # User privilege specification
    root    ALL=(ALL) ALL
    %admin  ALL=(ALL) ALL
    
    # Uncomment to allow people in group wheel to run all commands
    # %wheel    ALL=(ALL) ALL
    
    # Same thing without a password
    # %wheel    ALL=(ALL) NOPASSWD: ALL
    
    # Samples
    # %users  ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
    # %users  localhost=/sbin/shutdown -h now
    

    Info:

    machine:~ user$ ls -l /private/etc/sudoers 
    -r--r-----  1 root  wheel  1275 13 Jun  2012 /private/etc/sudoers
    

    Using visudo to modify the file corrects file permissions automatically

  6. Disable the root user again.