sudo: /etc/sudoers is owned by uid 501, should be 0

https://apple.stackexchange.com/questions/415447

01-06-2021
|

Pergunta

To run programs as sudo without password, I edited /etc/sudoers with wrong content.

Then I re-edited it with Mac's default text editor(course sudo cannot be used when /etc/sudoers is wrong).

I tried to run sudo agin, and get this error:

sudo: /etc/sudoers is owned by uid 501, should be 0
sudo: no valid sudoers sources found, quitting

What should I do? I cannot remember the root password (maybe I haven't ever set root password before).

Solução

You can boot into single user mode by pressing Cmd-S on startup (see OS X: How to start up in single-user or verbose mode for details) which should give you a root shell. Then run

mount -uw /
chown root:wheel /etc/sudoers
chmod 440 /etc/sudoers
reboot

to fix the problem and restart.

Outras dicas

For macOS Mojave, here is what worked for me:

Start up in recovery mode (Cmd+R during boot up)
Disk Utilities > Select Macintosh HD, and Mount
Close Disk Utilities
Utilities > Terminal
Type: chown root:wheel "/Volumes/Macintosh HD/etc/sudoers"
Reboot

You may also need to change the ownership of ts, back in the Terminal:

sudo su
sudo chown -R root:wheel /var/db/sudo/ts/

Yosemite and earlier OSX keeps info on what permissions system files (i.e. files the OS installs) should be. Apple's doc

To restore this use Disk Utility.app.
Select the boot volume (by default called Macintosh HD) on the left hand side.
Click the Verify or Repair Disk Permissions - the latter will reapply the stored permissions.

To edit sudoers in the future I would use visudo which checks that the edit is valid

re the root password you probably have not set it before - the idea of sudo is that you never need to use it and Apple disables root login by default

Open Directory Utility (/System/Library/CoreServices/).
Click the lock icon to unlock it, then enter your administrator name and password.
Do one of the following:
- Choose Edit > Enable Root User, then enter a root user password in the Password and Verify fields.
- Choose Edit > Change Root Password, then enter a new root user password. You don't need an old password
Login to Root

Modify sudoers with visudo like stated in the file:

The original file looks like this:

# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
# Failure to use 'visudo' may result in syntax or file permission errors
# that prevent sudo from running.
#
# See the sudoers man page for the details on how to write a sudoers file.
#

# Host alias specification

# User alias specification

# Cmnd alias specification

# Defaults specification
Defaults    env_reset
Defaults    env_keep += "BLOCKSIZE"
Defaults    env_keep += "COLORFGBG COLORTERM"
Defaults    env_keep += "__CF_USER_TEXT_ENCODING"
Defaults    env_keep += "CHARSET LANG LANGUAGE LC_ALL LC_COLLATE LC_CTYPE"
Defaults    env_keep += "LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME"
Defaults    env_keep += "LINES COLUMNS"
Defaults    env_keep += "LSCOLORS"
Defaults    env_keep += "SSH_AUTH_SOCK"
Defaults    env_keep += "TZ"
Defaults    env_keep += "DISPLAY XAUTHORIZATION XAUTHORITY"
Defaults    env_keep += "EDITOR VISUAL"
Defaults    env_keep += "HOME MAIL"

# Runas alias specification

# User privilege specification
root    ALL=(ALL) ALL
%admin  ALL=(ALL) ALL

# Uncomment to allow people in group wheel to run all commands
# %wheel    ALL=(ALL) ALL

# Same thing without a password
# %wheel    ALL=(ALL) NOPASSWD: ALL

# Samples
# %users  ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users  localhost=/sbin/shutdown -h now

Info:

machine:~ user$ ls -l /private/etc/sudoers 
-r--r-----  1 root  wheel  1275 13 Jun  2012 /private/etc/sudoers

Using visudo to modify the file corrects file permissions automatically

Disable the root user again.

You can fix this via AppleScript, without needing to reboot, or even log out & back in, or an existing root shell, or... All you need is a valid administrator password.

Run this command:

osascript -e 'do shell script "chown root:wheel /etc/sudoers; chmod 440 /etc/sudoers; chmod -N /etc/sudoers" with administrator privileges'

...and then authenticate as an administrator when requested.

Explanation: this is a bit indirect. It uses the shell command osascript to run a short AppleScript that uses the do shell script command to run a short shell script. The reason for the shell->AppleScript->shell thing is to use the with administrator privileges option, which has much the same effect as sudo but will work even if /etc/sudoers is completely messed up.

In Terminal:

Type sh or sudo sh (my case I accidentally set chown -R / so sudo is me, no need sudo anymore, using sh)

In sh, type cd /var/db/sudo/, then do ls -ln to check if its the same as these:

total 0
drwxr-xr-x  2 501  0   68 Oct 23 23:56 yourusername
drwx------  3 501  0  102 Nov 24 00:57 ts

then type ls -la and you'll get these:

total 0
drwx--x--x   4 yourusername   wheel   136 Oct 23 23:56 .
drwxr-xr-x  80 yourusername   wheel  2720 Nov 24 01:55 ..
drwxr-xr-x   2 root  wheel    68 Oct 23 23:56 yourusername
drwx------   3 root  wheel   102 Nov 24 00:57 ts

The results above shows that yourusername is set to wheel, which isn't supposed to. It should normally look like these:

total 0
drwx--x--x   4 root  wheel   136 Oct 23 23:56 .
drwxr-xr-x  80 root  wheel  2720 Nov 24 01:55 ..
drwxr-xr-x   2 root  wheel    68 Oct 23 23:56 yourusername
drwx------   3 root  wheel   102 Nov 24 00:57 ts

See the difference?

Now, we want to fix it. Here's what I did:

Still in sh, I typed chown -R root:wheel /var/db/sudo/yourusername to change it to UID 0 instead of UID 501 as above case
Do the same for ts, chown -R root:wheel /var/db/sudo/ts/ Now check again the permission with ls -ln and it should look like these:
```
total 0
drwxr-xr-x  2 0  0   68 Oct 23 23:56 dan
drwx------  3 0  0  102 Nov 24 00:57 ts
UID is now set to 0 and not 501.
```
Now we do the same for .. and . by running chown -R root:wheel /var/db/sudo/./ and then chown -R root:wheel /var/db/sudo/../, and you'll get results as No. 4 above.

Now we want to fix /etc/sudoers owned by UID 501.

Still in sh, first check permission by running ls -ln /private/etc/sudoers and it should get this:
```
-r--r-----  1 501  0  1563 Nov 14 17:53 /private/etc/sudoers
```

Notice the UID 501? We want it to become UID 0.

So, run this command chown -R root:wheel /private/etc/sudoers and then ls -ln /private/etc/sudoers again to check if the permission changes to this:
```
-r--r-----  1 0  0  1563 Nov 14 17:53 /private/etc/sudoers
```

So try sudo as you would again and see if that does the trick.

With all that, I have to remind you that I am not be responsible for your machine after following these steps, but at least this what works for me.

Great and simply for High Sierra- no SUDO, no recovery, just (verify/repair permissions)

First Step

diskutil resetUserPermissions / `id -u`

Second item Choose Folder via Finder -> Information -> unlock and choose Setting Wheel on the bottom-> Apply to enclosed Items

done!

https://support.apple.com/en-us/HT203538

If it still relevant this is my solution to this problem. I'm not doing boot into single user mode. It will work if you have the root password

su -
mount -uw /
chown root:wheel /etc/sudoers
chmod 440 /etc/sudoers
reboot

This worked for me: (No root password, but admin access required)

Created another admin account test
Manually set it's uid to 0 (right click on account > Advanced Options)
Restart the system, login via test (a lot of errors will pop-up, cancel/ok all of them)
Go to cd /etc/ and chown -R $(whoami) sudoers (The sudo error will go away now, but removing test we have to undo everything)
Restart the system and login with your normal account
Manually set test uid to 502 (or 500+something that is not taken by other admins)
Remove the test account

Licenciado em: CC-BY-SA com atribuição

Não afiliado a apple.stackexchange