How to Add a User to the Sudoers File in Mac OS X
Advanced users may need to add a user account to the sudoers file, which allows that user to run certain commands with root privileges. To greatly simplify what that means, these newly privileged user accounts will then be able to execute commands without getting permission denied errors or having to prefix a terminal command with sudo. This may be helpful (or necessary) for some complex situations, but it poses a security risk for others, thus this is not something that should be casually changed. Generally speaking, most users are better off using an admin account, using sudo on a per command basis, or enabling the root user. Nonetheless, directly modifying sudoers has plenty of usage situations for advanced individuals with in-depth knowledge of the command line, and it is for those more complex situations that we’ll focus on adjusting the sudoers file as described here.
The sudoers file is located at /etc/sudoers but, unlike /etc/hosts and many other system configuration files, you do not want to point a general text editor at the file to modify it. Instead, you’ll want to use a specific command called ‘visudo’, which confirms proper syntax before saving the document.
Important: Adjusting sudoers is not intended for most OS X users. Only advanced users who have a compelling reason to do so should ever modify the sudoers file. If you don’t know what you’re doing and why you’re doing it, do not edit the sudoers file, and do not add any users to the sudoers file. It may pose a security risk, or you may break something.
Add a User to Sudoers in Mac OS X
Adding users to the sudoers requires the usage of vi, which can be fairly confusing if you’re not accustomed to it. For the unfamiliar, we’ll outline the exact key command sequences to edit, insert, and save the file in vi, follow the instructions carefully.
- Launch Terminal and type the following command:
- Use the arrow keys to navigate down to the “#User privilege specification” section, it should look like this:
- Put the cursor on the next empty line below the %admin entry and then press the “A” key to insert text, then type the following on a new line, replacing ‘username’ with the users short name of the account you wish to grant privilege to (hit tab between username and ALL):
- Now hit the “ESC” (escape) key to stop editing the file
- Hit the : key (colon) and then type “wq” followed by the Return key to save changes and exit vi
# User privilege specification
root ALL=(ALL) ALL
%admin ALL=(ALL) ALL
username ALL=(ALL) ALL
This is roughly what it should look like, the example screen shot shows username ‘osxdaily’ added:
You should be good to go, you can cat the sudoers file to be certain the file was modified:
Use cat with grep to find the username quickly if you don’t want to scan through the entire file:
cat /etc/sudoers | grep username
Now that ‘username’ has been added to the sudoers file you should be good to go.
Resolving a “/etc/sudoers busy, try again later” error
If you’re trying to modify sudoers and get an ‘visudo: /etc/sudoers busy, try again later’ error, that usually means the file is already opened, either by another user, or by accident, or by improperly closing visudo. If you’re on a multi-user machine be sure to check with other users before doing anything further, but generally this shouldn’t happen often on a single user machine. It’s important to differentiate the two because if you screw up the sudoers file you can be in for a world of frustration, problems, and eventual restoring of the OS (or sudoers file) from backups, of which resolving is beyond the scope of this article.
On single user Macs, that “sudoers busy” error may happen after quitting out of Terminal app without exiting vi, or if the Terminal or OS X crashed, or if the file is currently open in another session. The solution for the latter described single-use machine cases is fairly simple, and you can resolve the error by removing the sudoers temporary file which serves as a lock:
sudo rm /etc/sudoers.tmp
You’ll only want to do that if you’re certain another user (or yourself) is not actively modifying the file, either locally or remotely. Since adjusting sudoers is fairly advanced in general, we’re assuming you know what you’re doing here, but if you can’t track down what or why sudoers is open, you can try using dtrace or opensnoop to monitor the file usage.