No more root permissions – can I change this?

ls -l /etc/sudoers

-r--r----- 1 XYZ staff 2299 2 Aug 2015 /etc/sudoers


I can not use Sudo (sudoers is owned by uid 1, should be 0)


activating the superuser in finder was possible some days ago, but it was not helpful. I changed the password for the superuser and now my account has the same password ...? I also don't understand why I can activate the Superuser but still have no permissons ...

I have an unknown user called "System" on Macintosh HD since restoring the system a while ago. "System" seems to have root permissons.

Re-installing Mac Os High Sierra didn't help to let the user "System" disappear. (iMac late 2011)

Is there a way to change the permissions without erasing the whole system (1 SSD, 1 HD, a lot of data ...)

I can use this mac for every-day-tasks, but I also like to work sometimes with the terminal (learning, git etc.)

and I think it is a security issue too.


Is there a way to change the permissions without erasing the whole system? (1 ssd, 1 hd, a lot of data, it needs a lot of time ...)

Earlier Mac models

Posted on Oct 26, 2023 3:51 AM

Reply
Question marked as Best reply

Posted on Oct 26, 2023 2:30 PM

ReHexx wrote:

ls -l /etc/sudoers
-r--r----- 1 XYZ staff 2299 2 Aug 2015 /etc/sudoers

I can not use Sudo (sudoers is owned by uid 1, should be 0)

The only thing incorrect here is the owner of the file which should be "root" instead of "staff". This file should only be modified by using the "visudo" utility which will always verify the syntax of all entries are correct and will also make sure the file permissions are correct.


I don't recommend ever modifying this file since there is a better way to modify "sudoers" rules which involves creating a new file in "/etc/sudoers.d". Again, you need to use the "visudo" utility for the same reasons you need to use it for the main "sudoers" file. It is much easier to deal with issues with items in "/etc/sudoers.d" than it is to deal with issues in the main "sudoers" file itself.



I have an unknown user called "System" on Macintosh HD since restoring the system a while ago. "System" seems to have root permissons.

Perfectly normal. "system" is one of many system level user/groups macOS requires.


Re-installing Mac Os High Sierra didn't help to let the user "System" disappear. (iMac late 2011)

I don't believe macOS will overwrite any custom configuration files.


Is there a way to change the permissions without erasing the whole system (1 SSD, 1 HD, a lot of data ...)

You just need to change the permission of that "sudeors" file. How to do so is the question. You could try booting into Single User Mode (Command + S) and trying to use the "visudo" command to update the file's permissions. You may need to add a new line to the file so it will have some change to force a save which should involve the utility to check the syntax & permissions.


Once you access the command prompt for Single User Mode, you will need to read the information on the screen which instructs you how to run a file system check using "fsck", followed by remounting the root system volume as read+write. It has been a while since I booted to Single User Mode, but IIRC the commands are (if you don't receive the command prompt after the text on screen stops scrolling by, then press the "Return" key as that will usually cause the command prompt to appear):

fsck  -fy  /
mount  -uw  /


You will then need to use the following command to edit the "/etc/sudoers" file the proper way using "visudo" (this command as formatted is only meant for use with Single User Mode):

EDITOR=nano  visudo  


You should be able to scroll to the end of the file using the down arrow key, then press the "Return" key to create a new empty line. Then press Control + X which will prompt you to confirm you want to save the changes, then it will prompt to confirm the file name. If there are no errors, try rebooting normally to see if you now are able to utilize "sudo". If you still have problems, then maybe there is something wrong with the configuration of that file. On my macOS 13.x, the "sudoers" file is owned by "root". To reboot the computer while in Single User Mode, use the following command:

reboot



Theoretically you should be able to just use:

boot


which should allow macOS to resume booting from Single User Mode into a full boot without restarting, but I prefer the actual full reboot just to be safe.


I can use this mac for every-day-tasks, but I also like to work sometimes with the terminal (learning, git etc.)
and I think it is a security issue too.

Make sure to always have frequent and regular backups of your computer and all external media (including the cloud) which contains important & unique data.


You may want to consider using a Virtual Machine so you can do experimental tasks with an OS hosted within a VM so that you don't accidentally break your main macOS system.


Also, be very careful using any third party utilities like Homebrew to install & manage other command line utilities & apps since Homebrew seems to cause so many people misery since their macOS system configuration files are improperly modified. Plus having some other newer versions of some command line utilities may get macOS confused about which one to use if Homebrew doesn't properly configure the PATH to utilize macOS utilities by default. Again, best to test things out in a VM so verify how things work before making the changes to the main OS you use for every day tasks. Otherwise, be prepared to reinstall & restore from a backup.


8 replies
Question marked as Best reply

Oct 26, 2023 2:30 PM in response to ReHexx

ReHexx wrote:

ls -l /etc/sudoers
-r--r----- 1 XYZ staff 2299 2 Aug 2015 /etc/sudoers

I can not use Sudo (sudoers is owned by uid 1, should be 0)

The only thing incorrect here is the owner of the file which should be "root" instead of "staff". This file should only be modified by using the "visudo" utility which will always verify the syntax of all entries are correct and will also make sure the file permissions are correct.


I don't recommend ever modifying this file since there is a better way to modify "sudoers" rules which involves creating a new file in "/etc/sudoers.d". Again, you need to use the "visudo" utility for the same reasons you need to use it for the main "sudoers" file. It is much easier to deal with issues with items in "/etc/sudoers.d" than it is to deal with issues in the main "sudoers" file itself.



I have an unknown user called "System" on Macintosh HD since restoring the system a while ago. "System" seems to have root permissons.

Perfectly normal. "system" is one of many system level user/groups macOS requires.


Re-installing Mac Os High Sierra didn't help to let the user "System" disappear. (iMac late 2011)

I don't believe macOS will overwrite any custom configuration files.


Is there a way to change the permissions without erasing the whole system (1 SSD, 1 HD, a lot of data ...)

You just need to change the permission of that "sudeors" file. How to do so is the question. You could try booting into Single User Mode (Command + S) and trying to use the "visudo" command to update the file's permissions. You may need to add a new line to the file so it will have some change to force a save which should involve the utility to check the syntax & permissions.


Once you access the command prompt for Single User Mode, you will need to read the information on the screen which instructs you how to run a file system check using "fsck", followed by remounting the root system volume as read+write. It has been a while since I booted to Single User Mode, but IIRC the commands are (if you don't receive the command prompt after the text on screen stops scrolling by, then press the "Return" key as that will usually cause the command prompt to appear):

fsck  -fy  /
mount  -uw  /


You will then need to use the following command to edit the "/etc/sudoers" file the proper way using "visudo" (this command as formatted is only meant for use with Single User Mode):

EDITOR=nano  visudo  


You should be able to scroll to the end of the file using the down arrow key, then press the "Return" key to create a new empty line. Then press Control + X which will prompt you to confirm you want to save the changes, then it will prompt to confirm the file name. If there are no errors, try rebooting normally to see if you now are able to utilize "sudo". If you still have problems, then maybe there is something wrong with the configuration of that file. On my macOS 13.x, the "sudoers" file is owned by "root". To reboot the computer while in Single User Mode, use the following command:

reboot



Theoretically you should be able to just use:

boot


which should allow macOS to resume booting from Single User Mode into a full boot without restarting, but I prefer the actual full reboot just to be safe.


I can use this mac for every-day-tasks, but I also like to work sometimes with the terminal (learning, git etc.)
and I think it is a security issue too.

Make sure to always have frequent and regular backups of your computer and all external media (including the cloud) which contains important & unique data.


You may want to consider using a Virtual Machine so you can do experimental tasks with an OS hosted within a VM so that you don't accidentally break your main macOS system.


Also, be very careful using any third party utilities like Homebrew to install & manage other command line utilities & apps since Homebrew seems to cause so many people misery since their macOS system configuration files are improperly modified. Plus having some other newer versions of some command line utilities may get macOS confused about which one to use if Homebrew doesn't properly configure the PATH to utilize macOS utilities by default. Again, best to test things out in a VM so verify how things work before making the changes to the main OS you use for every day tasks. Otherwise, be prepared to reinstall & restore from a backup.


Oct 26, 2023 11:16 PM in response to VikingOSX

VikingOSX wrote:

Stay away from enabling root even if someone provides the instructions. The correct way to access and edit the /etc/sudoers file is this:

sudo visudo

and it will automatically open the /etc/sudoers file for editing and saving when done. You should be familiar with /usr/bin/vi editor syntax.

If you notice my post which we posted at the same time, you can use the editor of your choice by specifying it with the "EDITOR" variable....this will only affect the current command and does not change the default system editor. I personally have never been able to remember how to navigate "vi/vim" since I don't edit files on the command line enough to memorize its options (nor the patience). At least "nano" provide some hints which are easily visible as soon as the editor is opened which makes it a bit easier for the average person to figure out. The "visudo" utility is what actually performs the syntax checking and setting the correct file permissions.


Unfortunately it doesn't seem that "visudo" corrects the incorrect file ownership permission. "visudo" does set the correct file permissions when creating a new file. The OP will need to use the following command while booted into Single User Mode to make "root" the owner of the "/etc/sudoers" file:

chown  root  /etc/sudoers


Oct 27, 2023 1:56 AM in response to HWTech

The /etc/sudoers file ownership by default is root wheel and it is purposely read-only for that user and group. There is no reason to change that file ownership or permission if one uses visudo as is intended.


I can't say that Nano or any other editor locks this file from simultaneous editing but visudo does, and I have exclusively used visudo across multiple UNIX operating systems for a very long time. I learned the vi editor from the very beginning. The visudo man page is a worthwhile read.

Oct 27, 2023 7:19 AM in response to VikingOSX

VikingOSX wrote:

The /etc/sudoers file ownership by default is root wheel and it is purposely read-only for that user and group. There is no reason to change that file ownership or permission if one uses visudo as is intended.

I agree. Plus I even recommend never to touch the main "/etc/sudoers" file even with "visudo" because it is possible to make the same changes to files created & stored in "/etc/sudoers.d/" using "visudo".


I can't say that Nano or any other editor locks this file from simultaneous editing but visudo does, and I have exclusively used visudo across multiple UNIX operating systems for a very long time. I learned the vi editor from the very beginning. The visudo man page is a worthwhile read.

Yes, the "visudo" man page actually mentions being able to select your editor of choice using the method I have shown which is nice since we all have an editor we prefer. "visudo" locks the file and launches the editor of choice, then when the editor is closed, "visudo" checks the file syntax and alerts the user if there is an issue. If you are creating a new file within "/etc/sudoers.d/", then that new file created by "visudo" will have the proper permissions.


For some reason I thought "visudo" would correct the permissions even when editing an existing file, but that did not happen with my test.


Oct 27, 2023 7:26 AM in response to HWTech

HWTech wrote:

Unfortunately it doesn't seem that "visudo" corrects the incorrect file ownership permission. "visudo" does set the correct file permissions when creating a new file. The OP will need to use the following command while booted into Single User Mode to make "root" the owner of the "/etc/sudoers" file:
chown root /etc/sudoers

@VikingOSX reminded me that I forgot the group as well which should be "wheel", so the proper command to change the file permissions while booted into Single User Mode is:

chown  root:wheel  /etc/sudoers


No more root permissions – can I change this?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.