Allow specific users with no password to use sudo

As a sequel to the first post I made to this blog, I’ve found myself tackling this same thing with every macOS release.  Today, however, I discovered a line in /private/etc/sudoers that I hadn’t noticed before:

## Read drop-in files from /private/etc/sudoers.d
## (the '#' here does not indicate a comment)
#includedir /private/etc/sudoers.d

After some research, I discovered that you can drop a file in /private/etc/sudoers.d (a directory), and, as long as the syntax is correct, it will merge those with the main sudoers file.  In the event of a conflict, the last rule that applies takes effect – and, the main sudoers file is read first, so you can essentially override behavior by dropping a file into the sudoers.d directory.  Awesome!

I’ve posted the working code to my GitHub repository.  In the event that you want to make a change, be sure to check the file before packaging it up – or you risk breaking sudo:

/usr/sbin/visudo -csf /path/to/your/file

Disable “Use this disk?” Time Machine prompt

With a diagnostic OS, you’ll likely find yourself mounting many hard drives – either while NetBooted, or booted from an external hard drive. If Time Machine is not enabled, it will offer to backup to any reasonably-sized hard drive connected to your machine.

To disable this, run this command in the Terminal:

defaults write com.apple.TimeMachine DoNotOfferNewDisksForBackup -bool YES

This will prevent the Time Machine prompts from appearing.

Tested with: 10.5, 10.6, 10.7, 10.8, 10.9, 10.10

Testing the built-in iSight camera

Sometimes, when building a diagnostic OS, you need to optimize for space – you might be trying to fit the OS onto a small USB flash drive, or you want to decrease NetBoot times.

Once you’ve thrown away the obvious culprits – thanks to something like GrandPerspective – you might decide to trash the contents of /System/Library/Compositions/. I did. Unfortunately, this will break Photo Booth.

We relied on Photo Booth to test the iSight camera, so I came up with an alternative. Save this script as an application and put it in the Dock. Heck, I gave it the Photo Booth icon. It opens a new “movie recording” window in QuickTime Player, but it’s not actually recording. Good for a quick test, and faster than Photo Booth.

Tested with: 10.7, 10.8, 10.9, 10.10

Disabling Spotlight

In some cases, Spotlight’s indexing becomes a nuisance at best, and a problem at worst. A diagnostic OS can be used to repair or recover from a failing hard drive, for example, but Spotlight indexing can slow down the process (and lessen your chances of recovering data).

Luckily, it’s pretty simple to disable Spotlight. In the Terminal, run this command:

sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.metadata.mds.plist

If you later change your mind, this command will reverse it:

sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.metadata.mds.plist

Note that this disables Spotlight systemwide, not just on a per-HD basis. Existing Spotlight indexes will be left untouched.

It should be noted, in OS X 10.7 and above, the App Store uses Spotlight to recognize which apps are installed and can be updated. With Spotlight disabled, the App Store will only show OS updates. If you’re updating your Diagnostic OS, I’d suggest temporarily changing this setting.

Tested with: 10.4, 10.5, 10.6, 10.7, 10.8, 10.9

Allow admin users with no password to use sudo

Although Apple has always discouraged it, users were able to create accounts without passwords until OS X 10.7. Starting with OS X 10.5, Apple prevented these types of accounts from being able to use ‘sudo’ via the command line.

Why might this be a problem? In my case, I built a diagnostic OS (accessible via NetBoot) that sometimes needed this kind of access. MacPorts was a common issue, but the original reason was a program called CopyCatX. If your user account did not have a password set, CopyCatX would refuse to run.

Anyway, the fix is pretty easy – you’ll need to edit the file /etc/sudoers. Although it’s recommended that you use visudo (as it does sanity checks on the file), I tend to use TextWrangler. Carefully.

Change the line that reads:

%admin ALL=(ALL) ALL

to say this instead:

%admin ALL=(ALL) NOPASSWD: ALL

(I’d recommend against copying and pasting – Bad Things can happen if this file is damaged. Type it out.)

Save. You may need to reboot, as well.

Tested with: 10.5, 10.6, 10.7, 10.8, 10.9