problem with sudoer

Dannymac22 wrote:

Actually, looking back at my original post, the syntax error is NOT in /private/etc/sudoers, but /private/etc/suduers.d/suduers, which is a file that contains PRECISELY ONE line.

FYI, you just made two typographical errors in the path here.....missing the "o" in "sudoers.d" and "sudoers".

As others have already mentioned, there is no need for the line used anyway, so you can just delete that file if it only contains the single line.

Dannymac22 wrote:

The line with the syntax error. That is NOT the file that visudoers edits. So why the h is the system using THAT sudoers file instead of /private/etc/suduers?

FYI, again the typographical error in "sudoers". Sorry, but when working on the command line and with system files, you must be extremely careful of everything you do and you must be precise or you may encounter more serious & devastating errors & consequences. The command line is very unforgiving and there are no safety nets. I also would recommend not using "sudoers" as the name of a custom file to minimize confusion.

"visudo" will edit the main "/etc/sudoers" file unless told otherwise.

To edit another file you need to use the following command (may not need the "-f", but I'm not sure what version of visudo your version of macOS is using so I'm including it here just to be safe):

sudo  visudo  -f  /etc/sudoers.d/sudoers

Personally I prefer to use the "nano" text editor as it is easier for me. I just cannot remember all the options for using "vi" or "vim" which is the default editor if none is specified (I know "vi" & "vim" are very powerful and useful for many people & situations):

EDITOR=nano  sudo  visudo  -f  /etc/sudoers.d/sudoers

Note: Using the path with or without "/private" in the path is acceptable since "/etc" is a link to "/private/etc".

Also, to learn about any commands on the command line you can use the manual pages on most commands. For example, to learn about "visudo" and its options, you would use:

man  visudo

Edit: I'm glad you were making customizations by adding configuration files to "/etc/sudoers.d" as that is a much safer option in case of a mistake as you can easily move/delete the file from that folder if a mistake breaks the command line. I never edit the main "/etc/sudoers" file for this reason. Plus if an OS update decides to rewrite the file to a default, you shouldn't lose your customizations....or it will be much easier to restore those files. In addition it is much easier to view all the customizations in their own individual files and quickly remove them or the files when troubleshooting.

You have a syntax error in a custom made "sudoers" file located within the "/etc/sudoers.d" folder. I think the file is called "sudoers" with the complete path "/etc/sudoers.d/sudoers" where you have an entry with user "<memyselfandi>". The angle brackets are the problem giving the syntax error.

The actual location is "/private/etc/sudoers.d/sudoers" because of the read-only system volume, so the custom files are located in the "/private" folder which mimics the folder structure of the main system. macOS has a link to the "/private" folder so you can access the file through either path reference.

Like the others have mentioned, there is no need to have that line to give an admin user privileges as it is redundant.

Dannymac22 wrote:

and why was the OS paying attention to it instead of /private/etc/sudoers? And, for that matter, what is the sudoers.d directory supposed to be for?

If you need to change parameters in sudoers, why wouldn't you want to edit it?

The "sudoers.d" folder is meant to contain customizations for "sudoers", but without needing to modify the main original "sudoers" file. You've already experienced what happens with a minor mistake, but you could cripple the whole system if a more serious error was encountered in the main "sudoers" file.

If you want to make customizations, then add a file to the "sudoers.d" folder.

The system begins reading the main sudoers file, but then looks at each file within the "sudoers.d" folder (I forget the order they are processed). The last setting found for any option overrides any previous setting for a particular option. The "sudoers.d" folder allows changes to the original configuration without needing to modify the original file. So if you want to change the timeout, you could add it to a file within the "sudoers.d" folder. However, I advise caution in lengthening the timeout or removing it. Part of the reason for typing the password is to remind a user that what they are about to do may have serious consequences....the password is meant to caution the user to review the command before pressing Enter/Return. Like I said before, just one mis-typed character can have devastating consequences.

**** You need to be careful with the modifications as there can be unexpected negative consequences including weakening security of macOS by introducing new vulnerabilities due to changes made. I've seen huge threads with debates of very experienced users on suggested configurations & their unexpected consequences....things which are not readily apparent even to some experienced users. There are a lot of complex & subtle interactions so it is best to keep any changes to an absolute minimum.

Is there some built-in sudoers protection that makes backup file copies (e.g. sudoers.d/sudoers)?

No, it is up to the user make backups.

Like I said before, the command line is very unforgiving and there is no safety net. Do not follow any commands found online without thoroughly reviewing the commands and understanding them yourself. If you don't understand the command you are about to issue, then it is best not to issue it until you do understand it.

The best way to learn about the command line is by using a different computer, an older computer will suffice for most things, or one which you can easily wipe if a catastrophic mistake is made which you are unable to reverse. Using an OS in a Virtual Machine is another option, but it is slightly more risky than a spare disposable computer. I highly recommend you read up on the command line and also how the lower level *nix part of the OS works before you do anything else. And practice on a disposable system or in a VM.

Even people with decades of command line experience can make a simple mistake which can have disastrous consequences. Sometimes all it takes is one mistyped character.

Admin users don't need to be individually listed in sudoers.

My sudoers file is the default. These are the relevant lines:

# root and users in group wheel can run anything on any machine as any user
root		ALL = (ALL) ALL
%admin		ALL = (ALL) ALL

You don't need anything else.

Dannymac22 wrote:

Yes, I understand that now, but EVERYONE online says that to make yourself a sudoer, just go in with visudo and modify the sudoers file!

That assumes you are not already part of the group. With macOS any macOS user account with "admin" privileges is automatically put into the "sudoers" group. For other operating systems this may not be the case. In fact most of the information you find online regarding the command line and *nix type files will be in regards to Linux which while sharing a lot of similarities is completely different.

As you point out, the /private/etc/sudoers.d/sudoers customization file is a smart way to protect yourself.

It only "protects" you from accidentally destroying the main sudoers file. It does not protect you from mistakes, nor from any unintended side effects.

Like @etresoft mentions, it is very rare for anyone to need to modify the sudoers setup even with "sudoers.d". I've only ever made one or two changes for a very limited & very specific reason for a Linux system I was configuring for a new Linux user. I cannot see a need on macOS except to allow a Standard user to access one item normally restricted to an admin without giving the Standard user full admin access. Remember, this can have unexpected consequences where the Standard user may end up with more admin access than expected. It is very hard to know the edge cases where that upgrade of limited admin privileges can have undesired effect as those edge cases can be very obscure.

If you are curious about better understanding this, then experiment on a disposable test system or VM, but we don't recommend people to modify any of the "sudoers" settings. If you feel you must, then modify them by adding a file(s) in the "sudoers.d" folder. Always make sure to use the visudo command to create and edit those files.

Assuming the "/private/etc/sudoers.d/sudoers" file still exists, there is obviously a syntax error within that file. Post the contents of that file here if you want assistance locating that syntax error. The error appears to be on the first line of that file. You can of course try completely deleting the first line of that file as well, or begin the first line with "#" to comment out the line. This all assumes that the error is still being reported on the first line.

If you used "visudo", then it should have caught any syntax errors when saving the file unless you overrode the syntax checking. Or it means the file was later corrupted. If the file was corrupted, it could also mean other more serious issues with your Mac including bad memory or SSD.

Dannymac22 wrote:

Yes, I understand that now, but EVERYONE online says that to make yourself a sudoer, just go in with visudo and modify the sudoers file!

They are wrong.

As you point out, the /private/etc/sudoers.d/sudoers customization file is a smart way to protect yourself.

That wasn't my advice. Making any changes to any sudoers file is an exceptionally bad idea. It will not protect you in any way. Rather, it opens you up to all kinds of security risks. Any random security vulnerability that Apple has patched in the last two decades is suddenly in play again on your machine.

I used Unix professionally, mostly full time, for over 35 years. In that time, I have needed to modify a sudoers file not even once.

Dannymac22 wrote:

All the online instructions for sudoer mods just have you go plowing into the main sudoer file with visuduer, which can indeed be a recipe for disaster.

Why the @#$%^ don't the online instructions make that point??

The "sudoers.d" infrastructure is "relatively" new.....although by now it has been around for at least 12 years (I don't recall when it was first introduced). However, many people may not realize it exists so they just repeat the old way of doing things. This is one reason people need to be careful about blindly following instructions found online even if the instructions come from a reputable source. Many people are stuck thinking & doing things the old ways, or are oblivious to the new changes. I have found that many times there are multiple ways of solving a problem, but only a few ways are actually the best/safer options. When I am researching things like this I will keep looking through various hits just to see if there may be any better options available and to find out what some of the potential hidden issues may be which may not be immediately obvious. Generally in that search you will learn some new things & realize there may be some edge cases where the common/popular fix may cause a problem.

FYI, to learn more about "sudoers" for your current version of macOS, you can see:

man  sudoers

Dannymac22 wrote:

Well, as I understand it, the WHOLE POINT of sudoers.d is to avoid mucking up the sudoers file. If you do something bad in that customization file, just get rid of it. Now, if it is possible to do any permanent damage with sudoers, then that would be a good reason to avoid any changes to it.

There is never any chance of permanent damage. It is just a question of whether you will be able to fix the problem yourself or if you'll have to go to some internet tech support forum and ask for help. In the case with something that could break the "sudo" functionality, even with help, your only chance of recovery would be erasing the hard drive and reinstalling the operating system, or using recovery mode. But if you've made it that far, chances are that recovery mode would be too difficult, so you'll be wiping your hard drive. All this because you insisted on editing a file that most experienced professionals don't bother modifying for decades.

There is a fine line between giving people good advice to help them along their journey, or giving them bad advice to teach them a lesson.

Dannymac22 wrote:

Well, as I understand it, the WHOLE POINT of sudoers.d is to avoid mucking up the sudoers file. If you do something bad in that customization file, just get rid of it. Now, if it is possible to do any permanent damage with sudoers, then that would be a good reason to avoid any changes to it.

I usually add the user to the Admin group, which provides sudo access, and avoids modifications to sudoers.