"/etc/sudoers is world writable” on Mac OS Mojave [duplicate]
Solution 1:
You can boot into single user mode by pressing Cmd-S on startup (see OS X: How to start up in single-user or verbose mode for details) which should give you a root shell. Then run
mount -uw /
chown root:wheel /etc/sudoers
chmod 440 /etc/sudoers
reboot
to fix the problem and restart.
Solution 2:
You can fix this via AppleScript, without needing to reboot, or even log out & back in, or an existing root shell, or... All you need is a valid administrator password.
Run this command:
osascript -e 'do shell script "chown root:wheel /etc/sudoers; chmod 440 /etc/sudoers; chmod -N /etc/sudoers" with administrator privileges'
...and then authenticate as an administrator when requested.
Explanation: this is a bit indirect. It uses the shell command osascript
to run a short AppleScript that uses the do shell script
command to run a short shell script. The reason for the shell->AppleScript->shell thing is to use the with administrator privileges
option, which has much the same effect as sudo
but will work even if /etc/sudoers is completely messed up.
Solution 3:
For macOS Mojave, here is what worked for me:
- Start up in recovery mode (Cmd+R during boot up)
- Disk Utilities > Select Macintosh HD, and Mount
- Close Disk Utilities
- Utilities > Terminal
- Type:
chown root:wheel "/Volumes/Macintosh HD/etc/sudoers"
- Reboot
You may also need to change the ownership of ts, back in the Terminal:
sudo su
sudo chown -R root:wheel /var/db/sudo/ts/
Solution 4:
Yosemite and earlier OSX keeps info on what permissions system files (i.e. files the OS installs) should be. Apple's doc
To restore this use Disk Utility.app.
Select the boot volume (by default called Macintosh HD) on the left hand side.
Click the Verify or Repair Disk Permissions - the latter will reapply the stored permissions.
To edit sudoers in the future I would use visudo which checks that the edit is valid
re the root password you probably have not set it before - the idea of sudo is that you never need to use it and Apple disables root login by default
Solution 5:
- Open
Directory Utility
(/System/Library/CoreServices/). - Click the lock icon to unlock it, then enter your administrator name and password.
-
Do one of the following:
- Choose Edit > Enable Root User, then enter a root user password in the Password and Verify fields.
- Choose Edit > Change Root Password, then enter a new root user password. You don't need an old password
- Login to Root
-
Modify sudoers with
visudo
like stated in the file:The original file looks like this:
# sudoers file. # # This file MUST be edited with the 'visudo' command as root. # Failure to use 'visudo' may result in syntax or file permission errors # that prevent sudo from running. # # See the sudoers man page for the details on how to write a sudoers file. # # Host alias specification # User alias specification # Cmnd alias specification # Defaults specification Defaults env_reset Defaults env_keep += "BLOCKSIZE" Defaults env_keep += "COLORFGBG COLORTERM" Defaults env_keep += "__CF_USER_TEXT_ENCODING" Defaults env_keep += "CHARSET LANG LANGUAGE LC_ALL LC_COLLATE LC_CTYPE" Defaults env_keep += "LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME" Defaults env_keep += "LINES COLUMNS" Defaults env_keep += "LSCOLORS" Defaults env_keep += "SSH_AUTH_SOCK" Defaults env_keep += "TZ" Defaults env_keep += "DISPLAY XAUTHORIZATION XAUTHORITY" Defaults env_keep += "EDITOR VISUAL" Defaults env_keep += "HOME MAIL" # Runas alias specification # User privilege specification root ALL=(ALL) ALL %admin ALL=(ALL) ALL # Uncomment to allow people in group wheel to run all commands # %wheel ALL=(ALL) ALL # Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL # Samples # %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom # %users localhost=/sbin/shutdown -h now
Info:
machine:~ user$ ls -l /private/etc/sudoers -r--r----- 1 root wheel 1275 13 Jun 2012 /private/etc/sudoers
Using
visudo
to modify the file corrects file permissions automatically Disable the root user again.