How to add a Mac OS User to sudoers
When I set up my Mac I configured first the Admin-User and then I created a new Standard-User for the daily work. On my Mac I have the Admin-User AdminPR and the Standard-User patrick. When I am logged in with my Standard-User patrick I cannot perform commands as root at the Terminal app with sudo.
Patricks-Macbook Pro:~ patrick$ sudo cat /private/etc/sudoers
Password:
patrick is not in the sudoers file. This incident will be reported.
Add a Standard User to sudoers
To be able to run any command as root I must add the Standard-User to my /private/etc/sudoers file or I must put the Standard-User patrick into the sudo Group.
To get some information I list all Users on the system using the dscl command (Directory Service Command Line Tool). Here I find both of my created Users the Admin-User AdminPR and the Standard-User patrick. With the id command I can check the group memberships. The User AdminPR is member of the admin Group and patrick ist not in the admin Group.
Patricks-Macbook Pro:~ patrick$ dscl . -list /Users
.....
_amavisd
_analyticsd
_appinstalld
_appleevents
_applepay
....
_wwwproxy
_xserverdocs
AdminPR
daemon
nobody
patrick
root
Patricks-Macbook Pro:~ patrick$ id -nG AdminPR
staff com.apple.sharepoint.group.1 everyone localaccounts _appserverusr admin _appserveradm _lpadmin com.apple.sharepoint.group.2 _appstore _lpoperator _developer _analyticsusers com.apple.access_ftp com.apple.access_screensharing com.apple.access_ssh com.apple.access_remote_ae
Patricks-Macbook Pro:~ patrick$ id -nG patrick
staff com.apple.sharepoint.group.2 everyone localaccounts access_bpf com.apple.sharepoint.group.1 _lpoperator
Patricks-Macbook Pro:~ patrick$
In the default User sudo specification any Users belonging to the admin Group are enabled to use sudo and can run any command as root. Therefore I must work with the admin user to make any changes to /private/etc/sudoers.
To check this I switch to my Admin-User using the su command in the Terminal and then I print the content of my /private/etc/sudoers file to the console using the cat command. In the User specification part of /private/etc/sudoers file it is defined that members of the admin Group can run all commands as root using sudo ( %admin … ).
Patricks-Macbook Pro:~ patrick$ su AdminPR
Password:
The default interactive shell is now zsh.
To update your account to use zsh, please run `chsh -s /bin/zsh`.
For more details, please visit https://support.apple.com/kb/HT208050.
bash-3.2$ sudo cat /etc/private/sudoers
Password:
.....
##
# User specification
##
# root and users in group wheel can run anything on any machine as any user
root ALL = (ALL) ALL
%admin ALL = (ALL) ALL
....
bash-3.2$ exit
Patricks-Macbook Pro:~ patrick$
To enable my Standard-User patrick to run root with sudo I basically have 2 options:
- I add the Standard-User
patrickto the admin Group or - I add the user
patrickto the User specification part in/private/etc/sudoersfile.
Both tasks can currently only be performed using the Admin-User as this is the only user that can run sudo commands.
I decide to add user patrick to sudoers. So I su into the AdminPR account again and add the Standard-User patrick to /private/etc/sudoers file in the User specification part as follows. I use my favorite editor nano for this.
Patricks-Macbook Pro:~ patrick$ su AdminPR
Password:
The default interactive shell is now zsh.
To update your account to use zsh, please run `chsh -s /bin/zsh`.
For more details, please visit https://support.apple.com/kb/HT208050.
bash-3.2$ sudo nano /etc/private/sudoers
Password:
##
# User specification
##
# root and users in group wheel can run anything on any machine as any user
root ALL = (ALL) ALL
%admin ALL = (ALL) ALL
patrick ALL = (ALL) ALL
bash-3.2$ exit
Patricks-Macbook Pro:~ patrick$
Finally I successfully check that the configuration works.
Patricks-Macbook Pro:~ patrick$ sudo cat /private/etc/sudoers
Password:
#
# Sample /etc/sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
##
# Override built-in defaults
##
Defaults env_reset
Defaults env_keep += "BLOCKSIZE"
Defaults env_keep += "COLORFGBG COLORTERM"
Defaults env_keep += "__CF_USER_TEXT_ENCODING"
Defaults env_keep += "CHARSET LANG LANGUAGE LC_ALL LC_COLLATE LC_CTYPE"
Defaults env_keep += "LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME"
Defaults env_keep += "LINES COLUMNS"
Defaults env_keep += "LSCOLORS"
Defaults env_keep += "SSH_AUTH_SOCK"
Defaults env_keep += "TZ"
Defaults env_keep += "DISPLAY XAUTHORIZATION XAUTHORITY"
Defaults env_keep += "EDITOR VISUAL"
Defaults env_keep += "HOME MAIL"
Defaults lecture_file = "/etc/sudo_lecture"
##
# User alias specification
##
# User_Alias FULLTIMERS = millert, mikef, dowdy
##
# Runas alias specification
##
# Runas_Alias OP = root, operator
##
# Host alias specification
##
# Host_Alias CUNETS = 128.138.0.0/255.255.0.0
# Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
# Host_Alias SERVERS = master, mail, www, ns
# Host_Alias CDROM = orion, perseus, hercules
##
# Cmnd alias specification
##
# Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
##
# User specification
##
# root and users in group wheel can run anything on any machine as any user
root ALL = (ALL) ALL
%admin ALL = (ALL) ALL
patrick ALL = (ALL) ALL
## Read drop-in files from /private/etc/sudoers.d
## (the '#' here does not indicate a comment)
#includedir /private/etc/sudoers.d
Patricks-Macbook Pro:~ patrick$