Announcement: Upgrade to macOS Mojave

With features like Dark Mode, Stacks, and four new built-in apps, macOS Mojave helps you get more out of every click. 
Find out how to upgrade to macOS Mojave > https://support.apple.com/macos/mojave

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Question:

Question: EtreCheck Major Error / sudoers size

I just purchased and ran EtreCheck 4 and a major error was found. This is it: "Unexpected /etc/sudoers size: Found 2339 B but expected 1563 B". I'm not very Terminal literate and don't want to screw things up. How can I fix the major error?

iMac, macOS High Sierra (10.13.3)

Posted on

Reply
Question marked as Solved
Answer:
Answer:

Yes. It is 1563 bytes, isn't it? But if it were an installation that you had originally upgraded from Yosemite, it might be 1275 bytes. The sudoers file is just a mess. It is one of those odd things with security settings so old that no one even remembers why they were set that way. "That's just the way we've always done it."

Posted on

Question marked as Helpful

Mar 19, 2018 7:07 AM in response to craigmoor In response to craigmoor

That appears to be a normal sudoers file. I don't see any unusual changes. Perhaps it was edited at some point and that change was undone.


The sudoers file is really difficult to deal with for a number of reasons. I won't bother you with the details. But you seem to have a valid sudoers file from a 10.11 El Capitan installation. EtreCheck cannot read a sudoers file because it is so heavily restricted. It can only check the size. If the size doesn't match any known, valid size of this file, then it reports it.

There’s more to the conversation

Read all replies

Page content loaded

Mar 10, 2018 12:52 PM in response to craigmoor In response to craigmoor

Hello craigmoor,

The first thing to do would be to post your EtreCheck report. That might provide more context about this change.


There are two possible reasons why your sudoers file has been modified:

1) You are a programmer and command-line wizard and have made legitimate changes to the file.

2) You have installed some low-level system modification utility, such as an antivirus tool. Sometimes this file is modified by legitimate 3rd party software so that it can run with administrator, "super-user" privileges whenever it wants. However, this use is frowned upon. There are better and more secure ways to do this.

3) You have installed malware that has modified this file so that it can run with administrator, "super-user" privileges whenever it wants.


So, EtreCheck categories this as a major issue because it is frequently used by malware. Even if the change was made my legitimate software, you still need to know about it. What if you want to uninstall this software. I bet it won't undo this change to your sudoers file.


Here is what you need to do. Go to the BBEdit web site (https://www.barebones.com/products/bbedit/) and download BBEdit. This is a powerful text editor. It is one of the few that can open the sudoers file. You will need your administrator password just to view this file. This is why EtreCheck can't read it.


Use BBEdit to open the sudoers file and then paste the contents of that file in a reply here. It is very unlikely to have any personal information in it. If it has your short user name or something, you can edit that out if it could be recognizable. Then we can tell you exactly what changes have been made, and possibly why.

Mar 10, 2018 12:52 PM

Reply Helpful (1)

Mar 11, 2018 8:16 AM in response to etresoft In response to etresoft

Hello etresoft! Here's the paste:


## sudoers file.

##

## This file MUST be edited with the 'visudo' command as root.

## Failure to use 'visudo' may result in syntax or file permission errors

## that prevent sudo from running.

##

## See the sudoers man page for the details on how to write a sudoers file.

##



##

## Host alias specification

##

## Groups of machines. These may include host names (optionally with wildcards),

## IP addresses, network numbers or netgroups.

# Host_Alias WEBSERVERS = www1, www2, www3



##

## User alias specification

##

## Groups of users. These may consist of user names, uids, Unix groups,

## or netgroups.

# User_Alias ADMINS = millert, dowdy, mikef



##

## Cmnd alias specification

##

## Groups of commands. Often used to group related commands together.

# Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \

# /usr/bin/pkill, /usr/bin/top



##

## Defaults specification

##



Defaults env_reset

Defaults env_keep += "BLOCKSIZE"

Defaults env_keep += "COLORFGBG COLORTERM"

Defaults env_keep += "__CF_USER_TEXT_ENCODING"

Defaults env_keep += "CHARSET LANG LANGUAGE LC_ALL LC_COLLATE LC_CTYPE"

Defaults env_keep += "LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME"

Defaults env_keep += "LINES COLUMNS"

Defaults env_keep += "LSCOLORS"

Defaults env_keep += "SSH_AUTH_SOCK"

Defaults env_keep += "TZ"

Defaults env_keep += "DISPLAY XAUTHORIZATION XAUTHORITY"

Defaults env_keep += "EDITOR VISUAL"

Defaults env_keep += "HOME MAIL"



Defaults lecture_file = "/etc/sudo_lecture"



##

## Runas alias specification

##



##

## User privilege specification

##

root ALL=(ALL) ALL

%admin ALL=(ALL) ALL



## Uncomment to allow members of group wheel to execute any command

# %wheel ALL=(ALL) ALL



## Same thing without a password

# %wheel ALL=(ALL) NOPASSWD: ALL



## Uncomment to allow members of group sudo to execute any command

# %sudo ALL=(ALL) ALL



## Uncomment to allow any user to run sudo if they know the password

## of the user they are running the command as (root by default).

# Defaults targetpw # Ask for the password of the target user

# ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw'



## Read drop-in files from /private/etc/sudoers.d

## (the '#' here does not indicate a comment)

#includedir /private/etc/sudoers.d

Mar 11, 2018 8:16 AM

Reply Helpful
Question marked as Helpful

Mar 19, 2018 7:07 AM in response to craigmoor In response to craigmoor

That appears to be a normal sudoers file. I don't see any unusual changes. Perhaps it was edited at some point and that change was undone.


The sudoers file is really difficult to deal with for a number of reasons. I won't bother you with the details. But you seem to have a valid sudoers file from a 10.11 El Capitan installation. EtreCheck cannot read a sudoers file because it is so heavily restricted. It can only check the size. If the size doesn't match any known, valid size of this file, then it reports it.

Mar 19, 2018 7:07 AM

Reply Helpful (1)

Mar 11, 2018 12:44 PM in response to craigmoor In response to craigmoor

As etresoft noted, there are no active lines that are any different from an unmodified sudoer file. Yours contains a number of lines that have been added by something. But, they also all start with a #. Which means the lines are comments and don't do anything. Here's a list of all of your "extras" (which is why your file is larger than it's supposed to be).


## Groups of machines. These may include host names (optionally with wildcards),

## IP addresses, network numbers or netgroups.

# Host_Alias WEBSERVERS = www1, www2, www3


## Groups of users. These may consist of user names, uids, Unix groups,

## or netgroups.


## Groups of commands. Often used to group related commands together.

# Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \

# /usr/bin/pkill, /usr/bin/top


## Uncomment to allow members of group wheel to execute any command

# %wheel ALL=(ALL) ALL


## Same thing without a password

# %wheel ALL=(ALL) NOPASSWD: ALL


## Uncomment to allow members of group sudo to execute any command

# %sudo ALL=(ALL) ALL


## Uncomment to allow any user to run sudo if they know the password

## of the user they are running the command as (root by default).

# Defaults targetpw # Ask for the password of the target user

# ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw'

Mar 11, 2018 12:44 PM

Reply Helpful

Mar 11, 2018 1:46 PM in response to Kurt Lang In response to Kurt Lang

That's what I meant about "the details". Apple has changed the default sudoers file a few times over the life of macOS. But you would only see the new file if you did a fresh installation with no restore. From what I can tell, once a sudoers file is written to disk, that file is never updated by Apple again.


So, in this case, the file appears to be a pretty standard 10.11 sudoers file. For some reason, 10.11's sudoers file was really big. Previous sudoers had been about 1275. On Sierra and High Sierra, it is 1563. But on any OS version, the file you have might be from an earlier OS version. It's a mess.

Mar 11, 2018 1:46 PM

Reply Helpful
Question marked as Solved

Mar 11, 2018 5:17 PM in response to Kurt Lang In response to Kurt Lang

Yes. It is 1563 bytes, isn't it? But if it were an installation that you had originally upgraded from Yosemite, it might be 1275 bytes. The sudoers file is just a mess. It is one of those odd things with security settings so old that no one even remembers why they were set that way. "That's just the way we've always done it."

Mar 11, 2018 5:17 PM

Reply Helpful
User profile for user: craigmoor

Question: EtreCheck Major Error / sudoers size