mike solin's blog

Tag: sudo

Using Munki to enable sudo for Touch ID

By

On June 14, 2020

In Scripting and Packaging

Ever since I got my MacBook Pro with a Touch Bar, I’ve avoided typing in my password as much as possible. macOS 10.14 and 10.15 added more places in the OS that accept Touch ID, which has been a welcome change. As part of my job, I tend to use the sudo command quite a bit, and this post from Rich Trouton has been a godsend. Just edit the appropriate file, restart your Terminal session, and you’re all set.

However, with many macOS patches and security updates, /etc/pam.d/sudo is reset back to defaults. I don’t know why this happens, but it’s quite annoying. After manually applying the change to this file again, I finally decided to script it.

Now, there are a handful of files that can really ruin your day if they become damaged or invalid. This is one of those files. Please proceed with caution, keep good backups, and be prepared to reinstall your OS if things get really messed up. That said, this worked for me on macOS 10.15.5, and will hopefully continue to work for years to come.

Since I use Munki, I decided to build a nopkg file that checks for the appropriate line in /etc/pam.d/sudo, and inserts it if it’s not present. To download the code, please see my GitHub repository.

Allow specific users with no password to use sudo

By

On November 3, 2016

In Diagnostic OS, Tutorials

As a sequel to the first post I made to this blog, I’ve found myself tackling this same thing with every macOS release.  Today, however, I discovered a line in /private/etc/sudoers that I hadn’t noticed before:

## Read drop-in files from /private/etc/sudoers.d

## (the '#' here does not indicate a comment)

#includedir /private/etc/sudoers.d

After some research, I discovered that you can drop a file in /private/etc/sudoers.d (a directory), and, as long as the syntax is correct, it will merge those with the main sudoers file.  In the event of a conflict, the last rule that applies takes effect – and, the main sudoers file is read first, so you can essentially override behavior by dropping a file into the sudoers.d directory.  Awesome!

I’ve posted the working code to my GitHub repository.  In the event that you want to make a change, be sure to check the file before packaging it up – or you risk breaking sudo:

/usr/sbin/visudo -csf /path/to/your/file

Allow admin users with no password to use sudo

By

On April 28, 2012

In Diagnostic OS

Although Apple has always discouraged it, users were able to create accounts without passwords until OS X 10.7. Starting with OS X 10.5, Apple prevented these types of accounts from being able to use ‘sudo’ via the command line.

Why might this be a problem? In my case, I built a diagnostic OS (accessible via NetBoot) that sometimes needed this kind of access. MacPorts was a common issue, but the original reason was a program called CopyCatX. If your user account did not have a password set, CopyCatX would refuse to run.

Anyway, the fix is pretty easy – you’ll need to edit the file /etc/sudoers. Although it’s recommended that you use visudo (as it does sanity checks on the file), I tend to use TextWrangler. Carefully.

Change the line that reads:

%admin ALL=(ALL) ALL

to say this instead:

%admin ALL=(ALL) NOPASSWD: ALL

(I’d recommend against copying and pasting – Bad Things can happen if this file is damaged. Type it out.)

Save. You may need to reboot, as well.

Tested with: 10.5, 10.6, 10.7, 10.8, 10.9

Powered by WordPress & Theme by Anders Norén