How to Add a User to the Sudoers File in Mac OS X

Feb 6, 2014 - 12 Comments

Terminal in Mac OS X Advanced users may need to add a user account to the sudoers file, which allows that user to run certain commands with root privileges.

To greatly simplify what that means, these newly privileged user accounts will then be able to execute commands without getting permission denied errors or having to prefix a terminal command with sudo. This may be helpful (or necessary) for some complex situations, but it poses a security risk for others, thus this is not something that should be casually changed.

Generally speaking, most users are better off using an admin account, using sudo on a per command basis, or enabling the root user. Nonetheless, directly modifying sudoers has plenty of usage situations for advanced individuals with in-depth knowledge of the command line, and it is for those more complex situations that we’ll focus on adjusting the sudoers file as described here.


The sudoers file is located at /etc/sudoers but, unlike /etc/hosts and many other system configuration files, you do not want to point a general text editor at the file to modify it. Instead, you’ll want to use a specific command called ‘visudo’, which confirms proper syntax before saving the document.

Important: Adjusting sudoers is not intended for most Mac OS X users. Only advanced users who have a compelling reason to do so should ever modify the sudoers file. If you don’t know what you’re doing and why you’re doing it, do not edit the sudoers file, and do not add any users to the sudoers file. It may pose a security risk, or you may break something.

Add a User to Sudoers in Mac OS X

Adding users to the sudoers requires the usage of vi, which can be fairly confusing if you’re not accustomed to it. For the unfamiliar, we’ll outline the exact key command sequences to edit, insert, and save the file in vi, follow the instructions carefully.

  1. Launch Terminal and type the following command:
  2. sudo visudo

  3. Use the arrow keys to navigate down to the “#User privilege specification” section, it should look like this:
  4. # User privilege specification
    root ALL=(ALL) ALL
    %admin ALL=(ALL) ALL

  5. Put the cursor on the next empty line below the %admin entry and then press the “A” key to insert text, then type the following on a new line, replacing ‘username’ with the users short name of the account you wish to grant privilege to (hit tab between username and ALL):
  6. username ALL=(ALL) ALL

  7. Now hit the “ESC” (escape) key to stop editing the file
  8. Hit the : key (colon) and then type “wq” followed by the Return key to save changes and exit vi

This is roughly what it should look like, the example screen shot shows username ‘osxdaily’ added:

User added to the sudoers file in OS X

You should be good to go, you can cat the sudoers file to be certain the file was modified:

cat /etc/sudoers

Use cat with grep to find the username quickly if you don’t want to scan through the entire file:

cat /etc/sudoers | grep username

Now that ‘username’ has been added to the sudoers file you should be good to go.

Resolving a “/etc/sudoers busy, try again later” error

If you’re trying to modify sudoers and get an ‘visudo: /etc/sudoers busy, try again later’ error, that usually means the file is already opened, either by another user, or by accident, or by improperly closing visudo. If you’re on a multi-user machine be sure to check with other users before doing anything further, but generally this shouldn’t happen often on a single user machine. It’s important to differentiate the two because if you screw up the sudoers file you can be in for a world of frustration, problems, and eventual restoring of the OS (or sudoers file) from backups, of which resolving is beyond the scope of this article.

On single user Macs, that “sudoers busy” error may happen after quitting out of Terminal app without exiting vi, or if the Terminal or Mac OS X crashed, or if the file is currently open in another session. The solution for the latter described single-use machine cases is fairly simple, and you can resolve the error by removing the sudoers temporary file which serves as a lock:

sudo rm /etc/sudoers.tmp

You’ll only want to do that if you’re certain another user (or yourself) is not actively modifying the file, either locally or remotely. Since adjusting sudoers is fairly advanced in general, we’re assuming you know what you’re doing here, but if you can’t track down what or why sudoers is open, you can try using dtrace or opensnoop to monitor the file usage.

.

Related articles:

Posted by: Paul Horowitz in Command Line, Mac OS, Tips & Tricks

12 Comments

» Comments RSS Feed

  1. Moscarda says:

    Can you provide instructions on the proper way to REMOVE a user from sudoers? Not to revoke an Admin’s permissions to use the sudo command, but requiring it to be entered manually as per default settings.

  2. Mike says:

    I get asked for a password when I use sudo. It isn’t my administrator password, therefore I can’t perform the sudo to change the sudoers file.

    I went to finder and added my administrator user account to have the permissions to read and write, however I still can’t edit the file!

    OSX is all over the place. Root is not administrator… what is it then! What’s the password for root! It’s annoying to be locked out of your own system. Totally lame… secure yes… but lame.

    • MarkP says:

      Mike,

      Your Mac may be configured the same way as mine. That is, I set my regular user account to not be an administrator & I have a totally separate account for the administrator (root). All you need to do is to switch user to your admin account and THEN do sudo visudo (& :wq! to save was good advice). You will be prompted for the admin password which will work. Having done this, switch back to your regular user account and you will see that executing sudo and using your regular password will now work.
      Cheers
      Mrk

  3. Joan Barros says:

    I think there’s an error in this article. In the second sentence of the first paragraph it states the following:

    “To greatly simplify what that means, these newly privileged user accounts will then be able to execute commands without getting permission denied errors or having to prefix a terminal command with sudo.”

    If I understand correctly it says that by adding a user to the sudoers file, it will be able to run commands as root without prefixing sudo. This is not the case. Being a member of the sudoers file gives you the privilege of using the sudo command.

    • pablo says:

      Yes correct, a user added to sudoers allows sudo access to that user.

      • enaon says:

        the way you use sudo in this example, it makes it hard to differentiate, the user is as powerful as a root, hell, he can type “passwd root” and change the root password, then he is root.

        Sudo is not meant to be used this way. It is supposed to give root access to certain parts of the system, not ALL of it.

  4. nocdib says:

    Thanks for this post. It really helped me out.

  5. SLOWIK says:

    It not works for MAC OS X Yosemite becuse /etc/sudoers file is read-only even for root user. After editing file in vi, command for saving file should be “:wq!” (with exclamation mark), not only “:wq”.

    • Anyone says:

      You are wrong, it works. I did a “chmod 744” and then “sudo visudo” to get access. You don’t need to put the exclamation mark because you already have root privileges.
      Cheers

  6. AJ Orea says:

    ey I have found that this only works in single user mode. If not not, you the password of someone who can modify the file (admin account).

  7. lepht says:

    > cat /etc/sudoers | grep username
    Congrats on the UUOC[1] award[2]! ;)

    [1]: http://en.wikipedia.org/wiki/Cat_(Unix)#Useless_use_of_cat

    [2]: http://partmaps.org/era/unix/award.html

    • Jim says:

      Thanks for pointing out the UUOC, I wonder if the author even reads, or understands, these comments as that UUOC remains after six years.

Leave a Reply

 

Shop on Amazon.com and help support OSXDaily!

Subscribe to OSXDaily

Subscribe to RSS Subscribe to Twitter Feed Follow on Facebook Subscribe to eMail Updates

Tips & Tricks

News

iPhone / iPad

Mac

Troubleshooting

Shop on Amazon to help support this site