Etrecheck: sudoers - Modified - what does this mean?

Thanks Barney!

Barney-15E wrote:

The sudoers file is the list of users allowed to temporarily elevate their privileges using the sudo command.

If you did not edit the file, then you might want to consider investigating what did.

I didn't edit it, at least not directly and knowingly – how could it be edited?

How could I find out what/who edited it?

I upgraded 3 Macs, and it was the same on all 3!

Allan Eckert wrote:

Since you have run the EtreCheck, why don't you post the report here so that ewe can analyze it?

If it helps, here it is:

EtreCheck version: 2.4.1 (137)

Report generated 8/23/15, 10:53 PM

Download EtreCheck from http://etresoft.com/etrecheck

Click the [Click for support] links for help with non-Apple products.

Click the [Click for details] links for more information about that line.

Hardware Information: (What does this mean?)

iMac (27-inch, Mid 2011) (Technical Specifications)

iMac - model: iMac12,2

1 2.7 GHz Intel Core i5 CPU: 4-core

8 GB RAM Upgradeable

BANK 0/DIMM0

2 GB DDR3 1333 MHz ok

BANK 1/DIMM0

2 GB DDR3 1333 MHz ok

BANK 0/DIMM1

2 GB DDR3 1333 MHz ok

BANK 1/DIMM1

2 GB DDR3 1333 MHz ok

Bluetooth: Old - Handoff/Airdrop2 not supported

Wireless: en1: 802.11 a/b/g/n

Video Information: (What does this mean?)

AMD Radeon HD 6770M - VRAM: 512 MB

iMac 2560 x 1440

System Software: (What does this mean?)

OS X 10.10.5 (14F27) - Time since boot: less than an hour

Disk Information: (What does this mean?)

ST31000528AS disk0 : (1 TB) (Rotational)

EFI (disk0s1) <not mounted> : 210 MB

Macintosh HD (disk0s2) / : 919.86 GB (194.91 GB free)

Recovery HD (disk0s3) <not mounted> [Recovery]: 650 MB

BOOTCAMP (disk0s4) /Volumes/BOOTCAMP : 79.48 GB (47.65 GB free)

HL-DT-STDVDRW GA32N ()

USB Information: (What does this mean?)

Apple, Inc. Keyboard Hub

Kensington Kensington Expert Mouse

Apple, Inc Apple Keyboard

SanDisk Cruzer Force 64.02 GB

EFI (disk2s1) <not mounted> : 210 MB

SD 64GB 002 (disk2s2) /Volumes/SD 64GB 002 : 63.67 GB (17.74 GB free)

Apple Internal Memory Card Reader

Apple Computer, Inc. IR Receiver

Apple Inc. FaceTime HD Camera (Built-in)

SanDisk Cruzer Force 64.02 GB

EFI (disk1s1) <not mounted> : 210 MB

SD 64GB 001 (disk1s2) /Volumes/SD 64GB 001 : 63.67 GB (17.74 GB free)

Apple Inc. BRCM2046 Hub

Apple Inc. Bluetooth USB Host Controller

Firewire Information: (What does this mean?)

WD My Book 800mbit - 800mbit max

EFI (disk3s1) <not mounted> : 210 MB

Untitled 1 (disk3s2) /Volumes/Untitled 1 : 999.85 GB (403.08 GB free)

Thunderbolt Information: (What does this mean?)

Apple Inc. thunderbolt_bus

Configuration files: (What does this mean?)

/etc/sudoers - Modified

Gatekeeper: (What does this mean?)

Mac App Store and identified developers

Kernel Extensions: (What does this mean?)

/System/Library/Extensions

[loaded] com.globaldelight.driver.VoilaDevice (1.1 - SDK 10.1) [Click for support]

[loaded] com.kensington.trackballworks.driver (1.1.0) [Click for support]

Launch Agents: (What does this mean?)

[loaded] org.macosforge.xquartz.startx.plist [Click for support]

Launch Daemons: (What does this mean?)

[loaded] com.adobe.fpsaud.plist [Click for support]

[loaded] org.macosforge.xquartz.privileged_startx.plist [Click for support]

User Login Items: (What does this mean?)

TrackballWorksHelper Application (/Library/PreferencePanes/TrackballWorks.prefPane/Contents/Resources/TrackballW orksHelper.app)

CrossOver CD Helper Application (/Applications/CrossOver.app/Contents/Resources/CrossOver CD Helper.app)

Internet Plug-ins: (What does this mean?)

FlashPlayer-10.6: Version: 18.0.0.232 - SDK 10.6 [Click for support]

Flash Player: Version: 18.0.0.232 - SDK 10.6 [Click for support]

iPhotoPhotocast: Version: 7.0 - SDK 10.8

QuickTime Plugin: Version: 7.7.3

Unity Web Player: Version: UnityPlayer version 5.0.2f1 - SDK 10.6 [Click for support]

Default Browser: Version: 600 - SDK 10.10

User internet Plug-ins: (What does this mean?)

CitrixOnlineWebDeploymentPlugin: Version: 1.0.105 [Click for support]

3rd Party Preference Panes: (What does this mean?)

Flash Player [Click for support]

TrackballWorks [Click for support]

Time Machine: (What does this mean?)

Skip System Files: NO

Mobile backups: OFF

Auto backup: NO - Auto backup turned off

Volumes being backed up:

Macintosh HD: Disk size: 919.86 GB Disk used: 724.95 GB

Destinations:

Untitled 1 [Local]

Total size: 999.85 GB

Total number of backups: 2

Oldest backup: 2015-08-20 06:23:39 +0000

Last backup: 2015-08-20 07:21:00 +0000

Size of backup disk: Too small

Backup size 999.85 GB < (Disk used 724.95 GB X 3)

Top Processes by CPU: (What does this mean?)

6% WindowServer

4% launchd

2% Tunelet

1% fontd

0% taskgated

Top Processes by Memory: (What does this mean?)

759 MB kernel_task

221 MB mds_stores

156 MB Dock

131 MB Finder

123 MB mdworker(5)

Virtual Memory Information: (What does this mean?)

1.70 GB Free RAM

6.29 GB Used RAM (1.46 GB Cached)

0 B Swap Used

Diagnostics Information: (What does this mean?)

Aug 23, 2015, 10:30:35 PM Self test - passed

Aug 22, 2015, 12:42:38 PM /Library/Logs/DiagnosticReports/com.apple.WebKit.WebContent_2015-08-22-124238_[ redacted].cpu_resource.diag [Click for details]

Thanks, Mr Hoffman,

MrHoffman wrote:

If you launch Terminal.app and issue the commands shown below, you'll get some details. If you're shy about posting data, here are the typical contents of the sudoers file on a Yosemite system — the lines starting with $ are bash shell prompts and bash commands:

Here is what I get:

## sudoers file.

##

## This file MUST be edited with the 'visudo' command as root.

## Failure to use 'visudo' may result in syntax or file permission errors

## that prevent sudo from running.

##

## See the sudoers man page for the details on how to write a sudoers file.

##

##

## Host alias specification

##

## Groups of machines. These may include host names (optionally with wildcards),

## IP addresses, network numbers or netgroups.

# Host_Alias WEBSERVERS = www1, www2, www3

##

## User alias specification

##

## Groups of users. These may consist of user names, uids, Unix groups,

## or netgroups.

# User_Alias ADMINS = millert, dowdy, mikef

##

## Cmnd alias specification

##

## Groups of commands. Often used to group related commands together.

# Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \

# /usr/bin/pkill, /usr/bin/top

##

## Defaults specification

##

Defaults env_reset

Defaults env_keep += "BLOCKSIZE"

Defaults env_keep += "COLORFGBG COLORTERM"

Defaults env_keep += "__CF_USER_TEXT_ENCODING"

Defaults env_keep += "CHARSET LANG LANGUAGE LC_ALL LC_COLLATE LC_CTYPE"

Defaults env_keep += "LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME"

Defaults env_keep += "LINES COLUMNS"

Defaults env_keep += "LSCOLORS"

Defaults env_keep += "SSH_AUTH_SOCK"

Defaults env_keep += "TZ"

Defaults env_keep += "DISPLAY XAUTHORIZATION XAUTHORITY"

Defaults env_keep += "EDITOR VISUAL"

Defaults env_keep += "HOME MAIL"

Defaults lecture_file = "/etc/sudo_lecture"

##

## Runas alias specification

##

##

## User privilege specification

##

root ALL=(ALL) ALL

%admin ALL=(ALL) ALL

## Uncomment to allow members of group wheel to execute any command

# %wheel ALL=(ALL) ALL

## Same thing without a password

# %wheel ALL=(ALL) NOPASSWD: ALL

## Uncomment to allow members of group sudo to execute any command

# %sudo ALL=(ALL) ALL

## Uncomment to allow any user to run sudo if they know the password

## of the user they are running the command as (root by default).

# Defaults targetpw # Ask for the password of the target user

# ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw'

## Read drop-in files from /private/etc/sudoers.d

## (the '#' here does not indicate a comment)

#includedir /private/etc/sudoers.d

It's a bit different to what you posted, but what does this mean?

(for example what are these "User_Alias ADMINS = millert, dowdy, mikef"?)

And here my file settings:

$ sudo ls -ale@ /private/etc/sudoers

-r--r----- 1 root wheel 2299 25 Jul 05:34 /private/etc/sudoers

$

There's a different number before the date. (?)

Thanks for any interpretation.

LexSchellings wrote:

The best way to read the sudoers file is by copying it to the Desktop and there read it with Textedit. Do not mess with the file itself or the permissions will change and you will have problems.

Thanks for your comments. I copied it to the desktop and looked into it (= same content as posted above).

The only differnece to Mr Hoffman's version is the additional line:

Defaults lecture_file = "/etc/sudo_lecture"

I also copied sudo_lecture to the desktop and looked into it:

WARNING: Improper use of the sudo command could lead to data loss

or the deletion of important system files. Please double-check your

typing when using sudo. Type "man sudo" for more information.

To proceed, enter your password, or type Ctrl-C to abort.

I assume this is no content at all.

So all is well...?

I'm happy that it is explained now.

LexSchellings wrote:

do not remove it.

I'm not so happy, because that would mean that in the future, when running Etrecheck again,

it will always alert me regarding this issue, and I will have to re-check if it's still harmless (on 3 Macs).

Therefore I think it would be better to replace it with the original file (size 1275). But how?

You don't have such a "sudo_lecture" file at all?

Thank you! I'll better keep it as it is.