sudoers: Permission denied

Question

sudoers: Permission denied

Looking through my logs I see this error a lot:
30.12.07 23.32.55 sudo[18843] kse : can't open /private/etc/sudoers: Permission denied ; TTY=ttys000 ; PWD=/ ; USER=root ; COMMAND=/bin/echo openrootshell

There are lots of other errors and strange things happening on my Mac and maybe this is the cause of a lot of it. It's pretty essential.

Looking at the file I see that owner, group and others have read only access to the file. I tried to change it like this with my basic Unix knowledge.

sudo chmod u+w sudoers

but get the error:
sudo: can't open /private/etc/sudoers: Permission denied

I have repaired permissions. What can I do?

iMac G5 20, Mac OS X (10.5.1)

Posted on Dec 30, 2007 2:47 PM

Reply

Answer 1

Dec 30, 2007 3:19 PM in response to Knut Harald Støre

Knut Harald Støre wrote:
Looking through my logs I see this error a lot:
30.12.07 23.32.55 sudo[18843] kse : can't open /private/etc/sudoers: Permission denied ; TTY=ttys000 ; PWD=/ ; USER=root ; COMMAND=/bin/echo openrootshell

All that this message says to me is that you attempted the command sudo echo openrootshell and were not permitted. What is this "openrootshell"?

Looking at the file I see that owner, group and others have read only access to the file. I tried to change it like this with my basic Unix knowledge.

That is correct, and you should not, absolutely not, change these. Verify your permissions on the sudoers file with

ls -al /private/etc/sudoers

You should see something like this:

-r--r----- 1 root wheel 1135 24 Sep 03:29 /private/etc/sudoers

I have repaired permissions. What can I do?

The first thing is to tell us what this "openrootshell" thing is

Reply

Answer 2

Dec 31, 2007 12:51 AM in response to Michael Conniff

I have no idea what openrootshell is. I have not tried to open anything like that. Must be done by some background process.

Reply

Answer 3

Dec 31, 2007 1:16 AM in response to Knut Harald Støre

This may be a problem. I'd expect root to have full access to this file. But as your root account doesn't have write access, you can't change it. I'd suggest that you boot off the OS DVD and use the Terminal to make changes from there. If this doesn't work (as I have no idea how root privilidges work when booted from DVD, I've never had to do it), then I suggest that you get access another mac and use Target Disk Mode. I know that you can ignore permissions in TDM.

Reply

Answer 4

Dec 31, 2007 1:19 AM in response to Daniel Ebeck

Actually, I've just had a thought. I know you aren't supposed to, but repairing permissions from the DVD may work. Just be sure to do them again once you are booted normally.

Reply

Answer 5

Dec 31, 2007 9:46 AM in response to Daniel Ebeck

Michael Conniff who first answered my post said those permissions were correct and I should absolutely not change them. I also see on another Mac that the file has the same read only permissions for owner and group.

What seems to be the actual problem is that I am no allowed to use sudo even though I am an administrator user. How can I fix this? Just typing sudo gives the same error:

sudo: can't open /private/etc/sudoers: Permission denied

On the other Mac I can even read the sudoers file using "sudo cat sudoers"

Reply

Answer 6

Dec 31, 2007 10:00 AM in response to Daniel Ebeck

NO, root should not have write access to this file by default. root can always change the permissions if needed, but really shouldn't. The sudoers file should always be edited by the visudo command which locks the file and does grammatical checking. If it were incorrectly edited, much of the system would break. visudo will work even with the read-only permissions.

The answer to Knut's problem is not to change permissions on the sudoers file: these permissions are quite possibly preventing something much worse happening. The name "openrootshell" is in itself suspicious.

Reply

Answer 7

Dec 31, 2007 10:09 AM in response to Knut Harald Støre

Knut Harald Støre wrote:
I have no idea what openrootshell is.

Then we need to find out what it is.

I have not tried to open anything like that. Must be done by some background process.

This makes it sound even more suspicious. But on reflection I doubt any real malware would choose such a giveaway name as "openrootshell".

First, restart your system in Safe Mode: see Mac OS X: Starting up in Safe Mode, and Mac OS X: What is Safe Boot, Safe Mode?.

Run like this for a while and check your logs to see if you still get the message.

You can while away a little time by looking for "openrootshell":

sudo find / -name openrootshell

Reply

Answer 8

Dec 31, 2007 10:19 AM in response to Knut Harald Støre

Knut Harald Støre wrote:
What seems to be the actual problem is that I am no allowed to use sudo even though I am an administrator user. How can I fix this? Just typing sudo gives the same error:

sudo: can't open /private/etc/sudoers: Permission denied

Ah! Some additional information 🙂

Are you sure you are an admin user? Open the Terminal (from /Applications/Utilities) and copy and paste the following into the Terminal window, one line at a time, with a return after each line:

id
dscl . read /groups/admin
dscacheutil -q user -a name `id -un`

Copy and paste the result from the Terminal window to a post here.

Do you have another admin account? If not, are you able to make one?

Reply

Answer 9

Dec 31, 2007 10:22 AM in response to Michael Conniff

Here are the results:

[Macro:/private/etc] kse% id
uid=507(kse) gid=507(kse) groups=507(kse),98( lpadmin),81(_appserveradm),102(com.apple.sharepoint.group.2),79(appserverusr),101(com.apple.sharepoint.group.1),80(admin)
[Macro:/private/etc] kse% dscl . read /groups/admin
AppleMetaNodeLocation: /Local/Default
GeneratedUID: ABCDEFAB-CDEF-ABCD-EFAB-CDEF00000050
GroupMembership: root kse
Password: *
PrimaryGroupID: 80
RealName: Administrators
RecordName: admin
RecordType: dsRecTypeNative:groups
SMBSID: S-1-5-32-544
[Macro:/private/etc] kse% dscacheutil -q user -a name `id -un`
name: kse
password: ******
uid: 507
gid: 507
dir: /Users/kse
shell: /bin/bash
gecos: Knut Støre

Reply

Answer 10

Dec 31, 2007 11:05 AM in response to Knut Harald Støre

Hi Knut

All that seems to be in order: you are an admin user and the admin group knows about you (sometimes one half of the link gets broken).

You didn't answer my final question: "Do you have another admin account? If not, are you able to make one?" but I can see you don't have another admin user. Are you able to make one? (Either give an existing account admin privileges, or make a new admin account for test purposes only). It would be a lot easier (and safer) than messing around in Single User Mode.

BTW, you can avoid the "strikethrough" on your Terminal prompt, and the extra wide post, if you enclose your quoted Terminal output in

indicators (yes—that is correct, no '/' in the closing {code}).

Reply

Answer 11

Dec 31, 2007 4:55 PM in response to Michael Conniff

I used to have another admin account but deleted it yesterday because of some other errors in the logs apparently related to it. I just made another one and logged into it using fast user switching. Then I get the famous blue background and a mouse cursor and that's it. I cannot do anything not even switch back to my regular user which is running in the background. I also tried logging into the new account from another computer using ssh. I entered my password and now that login hangs too.
I go to sleep now and I'll let it run until the morning and see if it has made any progress.

I just cleaned out all my caches using Leopard cache cleaner to see if that would make any difference. I hope the slowness is caused by that. Logging into the machine afterwards took forever and the first time I had to force quit it.

But that didn't help either. This machine is obviously pretty messed up. I have other errors like not being able to sync my mail account using .mac, numerous errors related to fonts in the logs etc. Do you think doing an archive and install will solve the permissions problem? I'm kind of ready for that now.

Reply

Answer 12

Jan 1, 2008 8:24 AM in response to Knut Harald Støre

Knut Harald Støre wrote:
This machine is obviously pretty messed up … Do you think doing an archive and install will solve the permissions problem? I'm kind of ready for that now.

I think you're probably right to consider an A&I, since everything we attempt seems to just hit another problem.

Not having done an A&I in 10.5, I'm not sure whether to recommend you tick the preserve settings box. Perhaps try it, and only if this doesn't work repeat without preserving settings.

Let us know how you get on.

Reply

Answer 13

Jan 2, 2008 4:49 AM in response to Michael Conniff

I tried to do Archive and install. The installation failed with some error about the printer drivers! I don't remember the exact message. It left a previous system folder that contained everything on the machine, not just the system files, even the user folders! I was forced to do an erase and install but it was ok since I had a time machine backup to get everything back.

Now the permission denied error messages seem to have gone and I can run sudo. So I ran the sudo find command for openrootshell which didn't find anything. The command still runs every minute or so but now it doesn't fail:

02.01.08 13.43.07 sudo[5624] kse : TTY=ttys001 ; PWD=/ ; USER=root ; COMMAND=/bin/echo openrootshell

I still have most of the other problems I had before the reinstall so I have some more work to do but now I am going on a 1 month vacation so it will have to wait.

Thank you for your help.

Reply