I just did something pretty stupid. I edited /etc/sudoers file directly from within my non-root user account.
sudo vim /etc/sudoers
and added the following to it:
Cmnd_Alias GEM_INSTALL = /usr/bin/gem install * Cmnd_Alias GEM_UNINSTALL = /usr/bin/gem uninstall * vitaly ALL=NOPASSWD GEM_INSTALL vitaly ALL=NOPASSWD GEM_UNINSTALL
The intention was to grant myself permissions to install gems w/o entering password. I know its insecure, but this is security-vs-convinience kind of thing and I only intended to leave it there for a couple of hours while I do some heavy gem development.
Anyway, experienced unix users might have spotted the syntax error in my
sudoers edits. I forgot the
: just after the
NOPASSWD. But the problem is
even more basic then that. I shouldn’t have beed editing the file directly. I
should have known better. And now I’m paying the price:
$ sudo >>> sudoers file: syntax error, line 36 <<< >>> sudoers file: syntax error, line 37 <<< sudo: parse error in /private/etc/sudoers near line 36 $ sudo vim /etc/sudoers >>> sudoers file: syntax error, line 36 <<< >>> sudoers file: syntax error, line 37 <<< sudo: parse error in /private/etc/sudoers near line 36
Now the sudoers file is broken and I can’t even fix it since I was using sudo to edit it!
Never do that! :)
Use the visudo command. it will check the file syntax before ‘commiting’ it.
I looked at the net and the general consensus is that you need to boot into a single-user mode to fix it. I really really didn’t want to do it. I have 4G of RAM and so I’m usually running dozens of programs and its a pain to close and reopen them all after boot. I’m lazy :)
Then I thought there might be a better way.
First I checked the permissions on the sudoers file:
$ ls -l /etc/sudoers -r--r-----+ 1 root wheel 1302 Sep 28 17:20 /etc/sudoers
and only ‘root’ is in the group wheel, so no luck here.
I also couldn’t ‘su root’ since my root user doesn’t have a password. duh!
But then it appeared to me that I might be able to circumvent this protection by leveraging my OS X ‘admin’ status. After all it ought to count for something :).
I opened “/etc” folder in finder (
Go to Folder...), then opened
sudoers file properties. Opening the lock there doesn’t require to be a root.
Its enough to be an Admin and my Admin user does have a password! So I was
easily able to grant myself permission to edit the file:
after that I just edited the file with vim again to comment the edits
Then I did what I was supposed to do from the beginning, I used the ‘visudo’ at last:
Last thing was to restore original permissions on the file in finder.