As a sequel to the first post I made to this blog, I’ve found myself tackling this same thing with every macOS release. Today, however, I discovered a line in /private/etc/sudoers that I hadn’t noticed before:
## Read drop-in files from /private/etc/sudoers.d
## (the '#' here does not indicate a comment)
#includedir /private/etc/sudoers.d
After some research, I discovered that you can drop a file in /private/etc/sudoers.d (a directory), and, as long as the syntax is correct, it will merge those with the main sudoers file. In the event of a conflict, the last rule that applies takes effect – and, the main sudoers file is read first, so you can essentially override behavior by dropping a file into the sudoers.d directory. Awesome!
I’ve posted the working code to my GitHub repository. In the event that you want to make a change, be sure to check the file before packaging it up – or you risk breaking sudo:
/usr/sbin/visudo -csf /path/to/your/file