Alternative

How to add a Mac OS User to sudoers

Date: 16.03.2021

Author: Patrick Rottländer

This article is about adding a standard Mac OS User to the sudoers file to enable this standard user to run commands in the Mac OS shell terminal as root.

When I set up my Mac I configured first the Admin-User and then I created a new Standard-User for the daily work. On my Mac I have the Admin-User AdminPR and the Standard-User patrick. When I am logged in with my Standard-User patrick I cannot perform commands as root at the Terminal app with sudo.

Patricks-Macbook Pro:~ patrick$ sudo cat /private/etc/sudoers
Password:
patrick is not in the sudoers file.  This incident will be reported.

Add a Standard User to sudoers

To be able to run any command as root I must add the Standard-User to my /private/etc/sudoers file or I must put the Standard-User patrick into the sudo Group.

To get some information I list all Users on the system using the dscl command (Directory Service Command Line Tool). Here I find both of my created Users the Admin-User AdminPR and the Standard-User patrick. With the id command I can check the group memberships. The User AdminPR is member of the admin Group and patrick ist not in the admin Group.

Patricks-Macbook Pro:~ patrick$ dscl . -list /Users
.....
_amavisd
_analyticsd
_appinstalld
_appleevents
_applepay
....
_wwwproxy
_xserverdocs
AdminPR
daemon
nobody
patrick
root

Patricks-Macbook Pro:~ patrick$ id -nG AdminPR
staff com.apple.sharepoint.group.1 everyone localaccounts _appserverusr admin _appserveradm _lpadmin com.apple.sharepoint.group.2 _appstore _lpoperator _developer _analyticsusers com.apple.access_ftp com.apple.access_screensharing com.apple.access_ssh com.apple.access_remote_ae

Patricks-Macbook Pro:~ patrick$ id -nG patrick
staff com.apple.sharepoint.group.2 everyone localaccounts access_bpf com.apple.sharepoint.group.1 _lpoperator

Patricks-Macbook Pro:~ patrick$ 

In the default User sudo specification any Users belonging to the admin Group are enabled to use sudo and can run any command as root. Therefore I must work with the admin user to make any changes to /private/etc/sudoers.

To check this I switch to my Admin-User using the su command in the Terminal and then I print the content of my /private/etc/sudoers file to the console using the cat command. In the User specification part of /private/etc/sudoers file it is defined that members of the admin Group can run all commands as root using sudo ( %admin … ).

Patricks-Macbook Pro:~ patrick$ su AdminPR
Password:

The default interactive shell is now zsh.
To update your account to use zsh, please run `chsh -s /bin/zsh`.
For more details, please visit https://support.apple.com/kb/HT208050.

bash-3.2$ sudo cat /etc/private/sudoers
Password:

.....

##
# User specification
##

# root and users in group wheel can run anything on any machine as any user
root        ALL = (ALL) ALL
%admin      ALL = (ALL) ALL

....

bash-3.2$ exit
Patricks-Macbook Pro:~ patrick$

To enable my Standard-User patrick to run root with sudo I basically have 2 options:

  • I add the Standard-User patrick to the admin Group or
  • I add the user patrick to the User specification part in /private/etc/sudoers file.

Both tasks can currently only be performed using the Admin-User as this is the only user that can run sudo commands.

I decide to add user patrick to sudoers. So I su into the AdminPR account again and add the Standard-User patrick to /private/etc/sudoers file in the User specification part as follows. I use my favorite editor nano for this.

Patricks-Macbook Pro:~ patrick$ su AdminPR
Password:

The default interactive shell is now zsh.
To update your account to use zsh, please run `chsh -s /bin/zsh`.
For more details, please visit https://support.apple.com/kb/HT208050.

bash-3.2$ sudo nano /etc/private/sudoers
Password:

##
# User specification
##

# root and users in group wheel can run anything on any machine as any user
root        ALL = (ALL) ALL
%admin      ALL = (ALL) ALL
patrick     ALL = (ALL) ALL

bash-3.2$ exit
Patricks-Macbook Pro:~ patrick$ 

Finally I successfully check that the configuration works.

Patricks-Macbook Pro:~ patrick$ sudo cat /private/etc/sudoers
Password:

#
# Sample /etc/sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.

##
# Override built-in defaults
##
Defaults    env_reset
Defaults    env_keep += "BLOCKSIZE"
Defaults    env_keep += "COLORFGBG COLORTERM"
Defaults    env_keep += "__CF_USER_TEXT_ENCODING"
Defaults    env_keep += "CHARSET LANG LANGUAGE LC_ALL LC_COLLATE LC_CTYPE"
Defaults    env_keep += "LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME"
Defaults    env_keep += "LINES COLUMNS"
Defaults    env_keep += "LSCOLORS"
Defaults    env_keep += "SSH_AUTH_SOCK"
Defaults    env_keep += "TZ"
Defaults    env_keep += "DISPLAY XAUTHORIZATION XAUTHORITY"
Defaults    env_keep += "EDITOR VISUAL"
Defaults    env_keep += "HOME MAIL"

Defaults    lecture_file = "/etc/sudo_lecture"

##
# User alias specification
##
# User_Alias    FULLTIMERS = millert, mikef, dowdy

##
# Runas alias specification
##
# Runas_Alias    OP = root, operator

##
# Host alias specification
##
# Host_Alias    CUNETS = 128.138.0.0/255.255.0.0
# Host_Alias    CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
# Host_Alias    SERVERS = master, mail, www, ns
# Host_Alias    CDROM = orion, perseus, hercules

##
# Cmnd alias specification
##
# Cmnd_Alias    PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less

##
# User specification
##

# root and users in group wheel can run anything on any machine as any user
root        ALL = (ALL) ALL
%admin        ALL = (ALL) ALL
patrick     ALL = (ALL) ALL

## Read drop-in files from /private/etc/sudoers.d
## (the '#' here does not indicate a comment)
#includedir /private/etc/sudoers.d

Patricks-Macbook Pro:~ patrick$