Question: Q: not in the sudoers file
I’m on a iMac 2008, OS 10.10.5. I put a command into the terminal followed by my password (I am the administrator) and the terminal says I’m “not in the sudoers file. This incident will be reported”.
I’m in the Administrators Group membership in the Directory Utility.
Does anyone know what the problem is and how to correct it?
Posted on Oct 24, 2017 6:29 AM
Helpful answers
At the Terminal prompt enter
this is what sudo is looking for, ASSUMING, your /etc/sudoers file is standard. But if you cannot elevate your privileges you cannot look inside /etc/sudoers 🙂
What I would expect to find in the /etc/sudoers file, that would allow you to elevate your admin privileges would be a line like the following:
You can also look at System Preferences -> Users & Groups and see if your account has «Admin» under your name.
Nov 5, 2017 5:42 AM
I’m going to ask a «Stupid» question.
Did the command start with
I ask, because the ‘sudo’ command is generally what outputs that error. But it is also possible that you were running a script and inside the script the identity was changed somehow, and it was trying to do the ‘sudo’ command as someother account on your system.
Can you actually show the full command you tried to enter?
If it was sudo and there were no funny options, then I have to wonder if the /etc/sudoers file is valid.
Have you been recently prompted to enter your Admin password to perform installs, or other GUI based Admin password prompts? These should just be GUI /etc/sudoers file checks.
Here is a GUI Admin test
Finder -> select a file (a junk file would be best)
Finder -> File -> Get Info
At the bottom right corner of the Get Info window should be a padlock, and hopefully it is locked.
Click on the padlock and hopefully you will be prompted to enter your Admin password
Nov 5, 2017 5:42 AM
There’s more to the conversation
Loading page content
Page content loaded
At the Terminal prompt enter
this is what sudo is looking for, ASSUMING, your /etc/sudoers file is standard. But if you cannot elevate your privileges you cannot look inside /etc/sudoers 🙂
What I would expect to find in the /etc/sudoers file, that would allow you to elevate your admin privileges would be a line like the following:
You can also look at System Preferences -> Users & Groups and see if your account has «Admin» under your name.
Nov 5, 2017 5:42 AM
Thanks for replying.
I am listed as admin in system preferences.
I put id into the terminal and this is what came up:
Last login: Thu Oct 26 10:56:57 on console
uid=501(sayan) gid=20(staff) groups=20(staff),12(everyone),61(localaccounts),79(_appserverusr),80(admin),81( _appserveradm),98(_lpadmin),101(com.apple.sharepoint.group.1),402(com.apple.shar epoint.group.2),33(_appstore),100(_lpoperator),204(_developer),395(com.apple.acc ess_ftp),398(com.apple.access_screensharing),399(com.apple.access_ssh),701(com.a pple.sharepoint.group.3)
Oct 26, 2017 3:17 AM
I’m going to ask a «Stupid» question.
Did the command start with
I ask, because the ‘sudo’ command is generally what outputs that error. But it is also possible that you were running a script and inside the script the identity was changed somehow, and it was trying to do the ‘sudo’ command as someother account on your system.
Can you actually show the full command you tried to enter?
If it was sudo and there were no funny options, then I have to wonder if the /etc/sudoers file is valid.
Have you been recently prompted to enter your Admin password to perform installs, or other GUI based Admin password prompts? These should just be GUI /etc/sudoers file checks.
Here is a GUI Admin test
Finder -> select a file (a junk file would be best)
Finder -> File -> Get Info
At the bottom right corner of the Get Info window should be a padlock, and hopefully it is locked.
Click on the padlock and hopefully you will be prompted to enter your Admin password
Nov 5, 2017 5:42 AM
All I did was enter “id” where the cursor was positioned. I’ve done it again and this is what it shows:
Last login: Fri Oct 27 11:31:36 on console
uid=501(sayan) gid=20(staff) groups=20(staff),12(everyone),61(localaccounts),79(_appserverusr),80(admin),81( _appserveradm),98(_lpadmin),101(com.apple.sharepoint.group.1),402(com.apple.shar epoint.group.2),33(_appstore),100(_lpoperator),204(_developer),395(com.apple.acc ess_ftp),398(com.apple.access_screensharing),399(com.apple.access_ssh),701(com.a pple.sharepoint.group.3)
As far as I know I’m not running a script.
Yes, when I am prompted to enter my admin password it works ok. Also works opening the padlock on Get Info.
The only reason I have come up against this issue is that I was installing a software instrument in Logic and it wouldn’t play because it thinks I am not admin. Which I am.
Источник
Question: Q: Wanting To Change Sudoers File In Mac OS 10.15, And Finding An Old .Sudoers.Tmp.Swp File
I found this link looking for instructions to give permission to shut down the machine via an Apple script, without having to use sudo and needing a password: https://osxdaily.com/2014/02/06/add-user-sudoers-file-mac/
However, it is pretty old and under 10.15 things might be different. I did however not find anything newer.
So, I did log in to sudo with: sudo visudo.
And got this. Now I am puzzled as to what to do.
Found a swap file by the name «/etc/.sudoers.tmp.swp»
owned by: root dated: Mon Jun 11 16:14:55 2012
file name: /private/etc/sudoers.tmp
user name: root host name: MBP.local
While opening file «/etc/sudoers.tmp»
dated: Fri Apr 17 23:52:22 2020
NEWER than swap file!
(1) Another program may be editing the same file. If this is the case,
be careful not to end up with two different instances of the same
file when making changes. Quit, or continue with caution.
(2) An edit session for this file crashed.
If this is the case, use «:recover» or «vim -r /etc/sudoers.tmp»
to recover the changes (see «:help recovery»).
If you did this already, delete the swap file «/etc/.sudoers.tmp.swp»
to avoid this message.
Swap file «/etc/.sudoers.tmp.swp» already exists!
[O]pen Read-Only, (E)dit anyway, (R)ecover, (D)elete it, (Q)uit, (A)bort:
What is interesting that the file found (.sudoers.tmp.swp) is from 2012. This is a 2020 Macmini. So, I assume it has been imported from the old machine when I imported the identity.
My question is can I dump this without getting into trouble?
And while we are at it does anybody know of any up-to-date information about changing the sudoers file?
Mac mini 2018 or later
Posted on Sep 13, 2020 6:28 AM
Are you using a user name or the user ID to assign custom privileges?
If you are using the UserID, then you need to preface the uid with «#»:
So if the uid of of «userIDAlloedToRunShutdown» is «501», then the line entry would be:
If «userIDAllowedToRunShutdown» is an alias, then make sure the uid’s listed in the alias are preceded with a «#». I just assumed «userIDAllowedToRunShutdown» was just a user name or valid alias. I got this by reviewing the man pages for sudoers.
I verified this format does work on macOS 10.12.
Posted on Sep 17, 2020 6:52 PM
Helpful answers
Is there anything in those files which you may need? If not, then I believe you should be able to safely delete the «.tmp» & «.tmp.swp» files.
FYI, I recommend not modifying the main «sudoers» file directly. macOS allows you to create extra helper files in the «/etc/sudoers.d/» folder. It will treat the entries in the files in this directory the same as if the entries were in the main «sudoers» file. This is a much safer method since you are not touching the main «sudoers» file which could have dire consequences if you make a mistake. Of course for some situations it may be better to modify the main «sudoers» file. With Catalina, I’m not sure the exact path where the writable folders are located (perhaps «/private/etc/sudoers.d/» ?).
FYI, if you are not proficient with «vim» and prefer the easier to use «nano» to edit text files on the command line you can invoke «nano» when using «visudo» by doing this:
It will provide the same protections to verify the integrity of the «sudoers» file on exit.
To create a separate helper file for «sudoers», you would invoke the command with:
With Catalina the writable path may rather be:
(modify the path as appropriate if I am wrong that the writable area for Catalina’s «/etc» is «/private/etc/»).
The name of the files in the «sudoers.d/» folder do not need any file name extensions. The «visudo» utility will create the proper file permissions and verify the integrity of the file just like it does when modifying the main «sudoers» file. I find this a much better & safer way of making modifications at least for certain situations, plus you can separate out the individual custom permissions. Just keep in mind the way these files will be processed because the later entries processed will override earlier entries in other files or the «sudoers» file itself.
The entries in the «sudoers.d» folder may better survive OS updates and upgrades than modifications made directly to the «sudoers» file.
Sep 13, 2020 5:47 PM
> sudo EDITOR=nano visudo -f /private/etc/sudoers.d/
Correct. The OP can just name the file «allow-shutdown» by using this command:
Sep 14, 2020 9:02 PM
There’s more to the conversation
Loading page content
Page content loaded
Is there anything in those files which you may need? If not, then I believe you should be able to safely delete the «.tmp» & «.tmp.swp» files.
FYI, I recommend not modifying the main «sudoers» file directly. macOS allows you to create extra helper files in the «/etc/sudoers.d/» folder. It will treat the entries in the files in this directory the same as if the entries were in the main «sudoers» file. This is a much safer method since you are not touching the main «sudoers» file which could have dire consequences if you make a mistake. Of course for some situations it may be better to modify the main «sudoers» file. With Catalina, I’m not sure the exact path where the writable folders are located (perhaps «/private/etc/sudoers.d/» ?).
FYI, if you are not proficient with «vim» and prefer the easier to use «nano» to edit text files on the command line you can invoke «nano» when using «visudo» by doing this:
It will provide the same protections to verify the integrity of the «sudoers» file on exit.
To create a separate helper file for «sudoers», you would invoke the command with:
With Catalina the writable path may rather be:
(modify the path as appropriate if I am wrong that the writable area for Catalina’s «/etc» is «/private/etc/»).
The name of the files in the «sudoers.d/» folder do not need any file name extensions. The «visudo» utility will create the proper file permissions and verify the integrity of the file just like it does when modifying the main «sudoers» file. I find this a much better & safer way of making modifications at least for certain situations, plus you can separate out the individual custom permissions. Just keep in mind the way these files will be processed because the later entries processed will override earlier entries in other files or the «sudoers» file itself.
The entries in the «sudoers.d» folder may better survive OS updates and upgrades than modifications made directly to the «sudoers» file.
Sep 13, 2020 5:47 PM
HWTech, thanks. Wow, good stuff. I am on the road and had a quick read, will start to have a more serious look at your information later on. Good info about not working directly in «sudoers». I did not know this but suspected that it could be dangerous to work in it.
Sep 14, 2020 1:41 AM
PS HWTech. Are you aware of some simple information on the web about «sudoers» for total beginners like me?
Sep 14, 2020 1:42 AM
Hi, the path in 10.15 is correct btw > /private/etc/sudoers.d
OK I am at the machine. So did I correctly understand you and write in Terminal:
to create a new file in that folder? Because I get:
And next if I may, should I be able to create the file «allow-shutdown» in the «sudoers.d» folder, how do I access it to write in it?
Sep 14, 2020 3:56 AM
Should, in theory, try to create a file in /private/etc/sudoers.d/ called ».
However the characters in the name are reserved shell symbols used for IO redirection and is confusing the shell.
There are few restrictions on the names of files in this directory, though, so ‘/private/etc/sudoers.d/allow-shutdown’ (without the ), or ‘/private/etc/sudoers.d/list-of-users-who-can-shutdown-the-machine’ or anything else similar should work just as well 🙂
Sep 14, 2020 11:26 AM
> sudo EDITOR=nano visudo -f /private/etc/sudoers.d/
Correct. The OP can just name the file «allow-shutdown» by using this command:
Sep 14, 2020 9:02 PM
PS HWTech. Are you aware of some simple information on the web about «sudoers» for total beginners like me?
I’ll have to look around for some links. I think I did bookmark a few sites that I liked for future reference, but I’m not sure which computer has the bookmarks or notes. Most of the links will reference Linux, but most of the information should still apply to macOS.
Here are a couple of links from a quick search that can get you started (I have found better ones before):
You can also access the macOS manual «man» pages for «visudo» and «sudoers»:
You do need to be careful since you can inadvertently allow a user more permissions than expected by customizing the «sudoers» file. A lot of useful information and warnings can be found on posts on StackExchange and SuperUser forums (and others). Sometimes a thread on those sites can gather a good discussion about subtle ways a setting may allow for unexpected behavior so read all the comments as they can be very educational. Even those expert users sometimes don’t always realize the dangers of some options. You really want to minimize what you add and allow in this file so you don’t inadvertently open up a huge security hole.
I’m not sure how things work on macOS, but I know on Linux there is usually other ways to achieve the same goals without modifying the «sudoers» file. In the *nix world there are usually several ways to achieve a goal with some ways being better than others, but it all depends on what you are trying to do and achieve.
FYI, you should try to be very explicit on which commands and even options will apply to any custom settings. For example with your shutdown command you can have it be generalized where the user can have access to every option available with shutdown such as «-r» for reboot or «-h» for halt. Or you can make it so the user is only able to restart the computer by specifically specifying the «-r» option for the «shutdown» command in the «sudoers» file.
I would suggest creating a Virtual Machine or an external boot disk to experiment on.
Make sure to have a good backup just in case something goes wrong.
Источник
