Previous 1 2 Next 23 Replies Latest reply: Jul 6, 2008 9:44 AM by j.v.
Glynn Level 4 Level 4 (1,375 points)
Hello All, I am going crazy and I know there has to be something very simple that I'm missing. I am the only users on this computer the only other accounts are root and guest. The user profile shows my name and Admin as the type of account. When I try to use "sudo" in terminal it asks for my password and denies it and says to cntr C to exit....i think. I did an id in terminal and it shows me as id 501 gid 501 but I am not listed in the Admin group 80.

How do I add myself to group 80?

Thanks, Glynn

iBook 14.1 G3 700mhz, G4 1.33Gz,iMac G5 2.1Gz 2Gm, Macbook 2.3 Gz, Mac OS X (10.4.11)
  • etresoft Level 7 Level 7 (27,125 points)
    In the Accounts preference pane, click the box that says "Allow user to administer this computer".
  • Glynn Level 4 Level 4 (1,375 points)
    It is already checked. I disabled it, restarted..re-enabled it, restarted and still cannot sudo from command line...I am still not in the Admin Group. I can su root and work from sh-3.2# but would prefer to use the sudo command.
  • Clea Rees Level 4 Level 4 (1,245 points)
    First, a caveat: if you are the only admin user and you are not in group admin (and you do not know why), your system likely has serious issues which may cause you all kinds of problems and may have security implications. You would be well-advised to reinstall the OS in this case.

    Assuming you are on Tiger...

    Before you make changes, you must make sure that the NetInfo database is backed up. This is one of the daily cron jobs but you should ensure that it has run and, if it were me, I would copy the backups to other names to make sure they do not get overwritten. (Just in case you screw up the database and before you can restore from backup, the daily job backs up your new version overwriting the backup.) You can find details in /etc/periodic/daily/500.daily - scroll down to "Backing up the NetInfo database". Get the location of the backups, check they exist and copy them to other names leaving them in the backup directory and making sure the ownership and permissions are the same on the backups you create as on those created by the cron job. The likely location is /var/backups and the backups will be named *.nidump (e.g. localhost.nidump etc.). You will have to su to root as you can't sudo, cd into the directory and copy the files to other names.

    Now open NetInfo Manager. Figure out what you are going to do before authenticating. Note that I'm not sure this method will work - it shouldn't, in fact, but try it. Highlight the local domain in the far left column ("/"), then "groups" in the next column, then "admin" in the right column. Underneath, you will see a line with "Users" on the left. Highlight this. Click the lock to authenticate. Choose "Insert new value" from the Directory menu. Type your short user name. Click the lock to deauthenticate. You will be asked if you are sure you want to make the changes/update this copy. Confirm this.

    This assumes you have not changed things too much from the Tiger defaults. E.g. that you have not changed the sources the system looks at for information about users and groups. If you have changed things from the Apple defaults, obviously you may need to make different changes.

    As I say, this shouldn't work as the NetInfo Manager shouldn't let you authenticate. I don't know if you can use the root username and password. If not, you can make the changes from the command line after suing to root.

    - cfr
  • glsmith Level 3 Level 3 (875 points)
    From the command line, you should be able to do something like this (as root):

    root# dscl . -append /Groups/admin GroupMembership <your username>

    Then check if that succeeded by using the "id" command.

    This may not restore sudo capability to you, however. I'd also check the /private/etc/sudoers file and ensure that your username is indeed listed there...
  • Clea Rees Level 4 Level 4 (1,245 points)
    Interesting. Is dscl (relatively) new? It exists in Tiger, apparently. I was thinking of using the NetInfo specific commands to achieve this which have disappeared in Leopard. When did dscl appear? It strikes me as clearer than the ni-- commands so I'm wondering why I've never seen this method mentioned before! The manpage says 2003 but it doesn't even seem to be listed in my book on Tiger...

    - cfr
  • Glynn Level 4 Level 4 (1,375 points)
    Thanks for the answer...Color me stupid, but this iMac is running 10.5.2. Sorry to over work you...

    Cheers, Glynn
  • Glynn Level 4 Level 4 (1,375 points)
    Thanks, I tried entering:
    sh-2.3#dscl .-append /Groups/admin GroupMembership HomeFolderName

    And it returns:Cannot open remote host, error: DSOpenDirServiceErr

    I also ran:
    sudo cat /etc/sudoers

    And the return is still:

    WARNING: Improper use of the sudo command could lead to data loss
    or the deletion of important system files. Please double-check your
    typing when using sudo. Type "man sudo" for more information.

    To proceed, enter your password, or type Ctrl-C to abort.


    The sudoers file reads like this:

    # Host alias specification

    # User alias specification

    # Cmnd alias specification

    # Defaults specification
    Defaults env_reset
    Defaults env_keep += "BLOCKSIZE"
    Defaults env_keep += "COLORFGBG COLORTERM"
    Defaults env_keep += "_CF_USER_TEXTENCODING"
    Defaults env_keep += "CHARSET LANG LANGUAGE LC_ALL LC_COLLATE LC_CTYPE"
    Defaults env_keep += "LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME"
    Defaults env_keep += "LINES COLUMNS"
    Defaults env_keep += "LSCOLORS"
    Defaults env_keep += "SSHAUTHSOCK"
    Defaults env_keep += "TZ"
    Defaults env_keep += "DISPLAY XAUTHORIZATION XAUTHORITY"
    Defaults env_keep += "EDITOR VISUAL"

    # Runas alias specification

    # User privilege specification
    root ALL=(ALL) ALL
    %admin ALL=(ALL) ALL

    # Uncomment to allow people in group wheel to run all commands
    # %wheel ALL=(ALL) ALL

    # Same thing without a password
    # %wheel ALL=(ALL) NOPASSWD: ALL

    I looked into using visudo to edit the file but the options given in --help do not say how to open and edit the file.

    Message was edited by: Glynn
  • glsmith Level 3 Level 3 (875 points)
    When I read the original post, I failed to see that he was running a version of Tiger. Though dscl is available in 10.4, I'm not sure if it always was, or if it came in some dot release. I was doing my testing on a 10.5 system.

    And I agree, it is a lot cleaner than the older methods...
  • glsmith Level 3 Level 3 (875 points)
    You should be able to cat the sudoers file as root, without needing sudo to do it. Try it as the root user and you won't get that error. Looking at the output of that file, it doesn't appear like your username is in there. That's going to prevent you from using sudo. "visudo" is just a wrapper around the "vi" editor, and is designed to open all the correct things for you -- all you need to do (as root) is type "visudo" at the command prompt and add the appropriate information. Type "man visudo" for more information.

    As for the dscl command, it could be the formatting of the post, but there should be a space between the utility ("dscl"), the datasource (".") and the comman ("-append"). You could also try a simpler command to list the current properties of the admin group:

    root# dscl . -read /Groups/admin

    Does that invocation work?

    This works for me on a 10.5.2 system, and a 10.4.11 system, so if it's not a simple formatting issue than perhaps there's more messed up on your system than just group affiliation...
  • Clea Rees Level 4 Level 4 (1,245 points)
    Glynn wrote:
    Thanks, I tried entering:
    sh-2.3#dscl .-append /Groups/admin GroupMembership HomeFolderName

    And it returns:Cannot open remote host, error: DSOpenDirServiceErr

    I also ran:
    sudo cat /etc/sudoers

    And the return is still:

    WARNING: Improper use of the sudo command could lead to data loss
    or the deletion of important system files. Please double-check your
    typing when using sudo. Type "man sudo" for more information.

    To proceed, enter your password, or type Ctrl-C to abort.


    This is normal. It happens the first time a user uses sudo. If you've never used sudo (successfully) before, this is what you would see. The question is: what happens if you enter your password?

    The sudoers file reads like this:


    You're reading this after suing to root?

    # Host alias specification

    # User alias specification

    # Cmnd alias specification

    # Defaults specification
    Defaults env_reset
    Defaults env_keep += "BLOCKSIZE"
    Defaults env_keep += "COLORFGBG COLORTERM"
    Defaults env_keep += "_CF_USER_TEXTENCODING"
    Defaults env_keep += "CHARSET LANG LANGUAGE LC_ALL LC_COLLATE LC_CTYPE"
    Defaults env_keep += "LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME"
    Defaults env_keep += "LINES COLUMNS"
    Defaults env_keep += "LSCOLORS"
    Defaults env_keep += "SSHAUTHSOCK"
    Defaults env_keep += "TZ"
    Defaults env_keep += "DISPLAY XAUTHORIZATION XAUTHORITY"
    Defaults env_keep += "EDITOR VISUAL"

    # Runas alias specification

    # User privilege specification
    root ALL=(ALL) ALL
    %admin ALL=(ALL) ALL

    # Uncomment to allow people in group wheel to run all commands
    # %wheel ALL=(ALL) ALL

    # Same thing without a password
    # %wheel ALL=(ALL) NOPASSWD: ALL


    This looks OK to me. It isn't what I have but I'm on Tiger. Can somebody on Leopard compare?

    You do not need to be personally named in the sudoers file. You're already covered by what's here.

    Earlier, you said "I did an id in terminal and it shows me as id 501 gid 501". I don't think this is correct. Setting non-membership of the Admin group aside, you appear to be in your own, personal group - but that's not supposed to be so on Leopard. Because you listed Tiger in your specs, I thought this looked right - on Tiger, all users are in a personal, unique-to-each group. But that's not supposed to be so on Leopard. You should be in the Staff group instead. Did you upgrade from Tiger and, if so, what options did you select during the install process?

    - cfr
  • glsmith Level 3 Level 3 (875 points)
    It's roughly the same on Leopard.

    Based on that file, he's only ok if he's a member of the admin group, which is the whole problem

    I'm still curious why the dscl command didn't work for him. Maybe it's PEBKAC.

    Glynn, can you post the output of "id"?
  • etresoft Level 7 Level 7 (27,125 points)
    glsmith wrote:
    Based on that file, he's only ok if he's a member of the admin group, which is the whole problem


    There is clearly a "problem" here that no one has addressed. They just jumped into dscl, trying to fix things, before investigating exactly what the problem is. No one should have to run dscl to get sudo running unless there were serious problems to begin with. Those problems will remain and surface at some later date.

    I don't run Tiger anymore so I don't know what the default setup looks like. But I do know that a user can be a member of multiple groups. I also know that an Admin user should be able to do sudo. If not, there is a problem that probably isn't going to be fixed by dscl.
  • Clea Rees Level 4 Level 4 (1,245 points)
    etresoft wrote:
    glsmith wrote:
    Based on that file, he's only ok if he's a member of the admin group, which is the whole problem


    There is clearly a "problem" here that no one has addressed. They just jumped into dscl, trying to fix things, before investigating exactly what the problem is. No one should have to run dscl to get sudo running unless there were serious problems to begin with. Those problems will remain and surface at some later date.


    Quite. Which is why I said,
    First, a caveat: if you are the only admin user and you are not in group admin (and you do not know why), your system likely has serious issues which may cause you all kinds of problems and may have security implications. You would be well-advised to reinstall the OS in this case.


    But you are right that the point seems to have been lost since.

    - cfr
  • Clea Rees Level 4 Level 4 (1,245 points)
    glsmith wrote:
    It's roughly the same on Leopard.


    He is on Leopard. The file looks different on Tiger.

    Based on that file, he's only ok if he's a member of the admin group, which is the whole problem


    Indeed. I only meant that I thought trying to fix the problem by editing the sudoers file was a bad idea.

    I'm still curious why the dscl command didn't work for him. Maybe it's PEBKAC.


    There is clearly something very wrong on his system.

    - cfr
Previous 1 2 Next