Running sudo as a standard user in Mac OS X

Apple Mac OS X has its roots in a development of BSD Unix and as such the command line should be pretty familiar to most Unix sysadmins. It does have one significant security flaw though – the default privilege level for a user is admin (although, to be fair, that is not the same as root, which needs to be enabled manually if required). Such routine use of administrative privileges is a dangerous practice – one which many Mac users will be happy to criticise Windows for; however, unlike versions of Windows prior to Vista, it is perfectly easy to operate a Mac using the principle of least user privilege – indeed, I perform all of my Mac OS X activities as a standard user although I’m asked to authenticate using an admin account for certain activities (in a similar manner to Windows Vista user access control).

Rather than enabling root access, OS X uses the sudo command to temporarily escalate privileges when required in a terminal shell (Linux Box Admin has an interesting article comparing sudo with root); however, by default, sudo will not work for a standard user – when I tried to run sudo command earlier today I got the following response:

WARNING: Improper use of the sudo command could lead to data loss
or the deletion of important system files. Please double-check your
typing when using sudo. Type “man sudo” for more information.

To proceed, enter your password, or type Ctrl-C to abort.

username is not in the sudoers file. This incident will be reported.

I could edit /etc/sudoers (the guide at MDLog:/sysadmin gives a good introduction to sudo) but I don’t know what security holes I might open in the process. One workaround is to enable the root account and use ssh root@localhost but enabling root access is really an unnecessary step. Instead, I prefer to use su - adminaccountname, after which I can sudo the appropriate command(s) and exit to return to a standard shell.

6 thoughts on “Running sudo as a standard user in Mac OS X

  1. I only just saw this, whilst searching for something else. Must have missed it the first time around. Excellent tip. Like you, I didn’t want to edit the sudoers list; it seemed as though it would negate the point of running as a standard user. It will come in very useful, cheers.

  2. I don’t like either to use an administrator as a primary user, instead of ssh root@localhost you could just do ssh adminuser@localhost (this will avoid to enable the root account).
    However there’s still a problem with that solution: you cannot use programs that have a graphical interface, for example ethereal/wireshark which launches inside X11. (even if you ssh -X)

    $su – zioadmin
    $sudo ethereal

    (wireshark:12570): Gtk-WARNING **: cannot open display:

  3. I could -almost- guarantee that by *correctly editing /etc/sudoers file will not affect/compromise your system’s security. At least Apple did some odd work there (which I don’t think so), editing /etc/sudoers is exactly the same on any BSD-like system: do NOT edit it just with ‘vi’ command, or any other text editor; instead, the CORRECTLY way of editing /etc/sudoers is by: visudo command. That way, you could add your Standard user account there, and properly give it access to ALL/or specifically the commands you want/need.

  4. Thanks anonymous – that’s useful information; however I wouldn’t give a standard user admin privileges in the GUI… so I shouldn’t at the command line either. Surely it’s much better to su to an administrative user and then sudo as required for those tasks that need elevated permissions?

Leave a Reply