– we create awesome web applications

I just did something pretty stupid. I edited /etc/sudoers file directly from within my non-root user account.

I did

sudo vim /etc/sudoers

and added the following to it:

Cmnd_Alias GEM_INSTALL = /usr/bin/gem install *
Cmnd_Alias GEM_UNINSTALL = /usr/bin/gem uninstall *
vitaly ALL=NOPASSWD GEM_INSTALL
vitaly ALL=NOPASSWD GEM_UNINSTALL

The intention was to grant myself permissions to install gems w/o entering password. I know its insecure, but this is security-vs-convinience kind of thing and I only intended to leave it there for a couple of hours while I do some heavy gem development.

Anyway, experienced unix users might have spotted the syntax error in my sudoers edits. I forgot the : just after the NOPASSWD. But the problem is even more basic then that. I shouldn't have beed editing the file directly. I should have known better. And now I'm paying the price:

$ sudo
>>> sudoers file: syntax error, line 36 <<<
>>> sudoers file: syntax error, line 37 <<<
sudo: parse error in /private/etc/sudoers near line 36

$ sudo vim /etc/sudoers
>>> sudoers file: syntax error, line 36 <<<
>>> sudoers file: syntax error, line 37 <<<
sudo: parse error in /private/etc/sudoers near line 36

OOPS!

Now the sudoers file is broken and I can't even fix it since I was using sudo to edit it!

Never do that! :)

Use the visudo command. it will check the file syntax before 'commiting' it.

Now what?

I looked at the net and the general consensus is that you need to boot into a single-user mode to fix it. I really really didn't want to do it. I have 4G of RAM and so I'm usually running dozens of programs and its a pain to close and reopen them all after boot. I'm lazy :)

Then I thought there might be a better way.

First I checked the permissions on the sudoers file:

$ ls -l /etc/sudoers 
-r--r-----+ 1 root  wheel  1302 Sep 28 17:20 /etc/sudoers

and only 'root' is in the group wheel, so no luck here.

I also couldn't 'su root' since my root user doesn't have a password. duh!

But then it appeared to me that I might be able to circumvent this protection by leveraging my OS X 'admin' status. After all it ought to count for something :).

I opened "/etc" folder in finder (Go -> Go to Folder...), then opened sudoers file properties. Opening the lock there doesn't require to be a root. Its enough to be an Admin and my Admin user does have a password! So I was easily able to grant myself permission to edit the file:

locked

unlocked

after that I just edited the file with vim again to comment the edits

vim /etc/sudoers

Then I did what I was supposed to do from the beginning, I used the 'visudo' at last:

sudo visudo

Last thing was to restore original permissions on the file in finder.

DONE

comments powered by Disqus