67

My Problem

I would like to be able to run sudo commands on MacOS Sierra 10.12 without having to type a password.

What have I tried

I've read the following:

And changed the relevant part of my /etc/sudoers file to:

root ALL=(ALL) ALL
%admin  ALL=(ALL) NOPASSWD: ALL
%wheel ALL=(ALL) NOPASSWD: ALL
%wheel ALL=(ALL) NOPASSWD: ALL
%sudo   ALL=(ALL) NOPASSWD: ALL
adamatan ALL=(ALL) NOPASSWD: ALL

My local user id (whoami) is adamatan.

I'm still being asked to type a password every few minutes when calling sudo. Any idea what's wrong?

Community
  • 1
Adam Matan
  • 3,569
  • 10
  • 35
  • 47
  • Does sudo -i work on Sierra? In El Cap it will switch you to root context and run login resource files for that session. (Will still need to be sudoers, so earlier effort not wasted). – FiddleDeDee Oct 27 '16 at 13:12
  • Works, but how does it solve the problem? – Adam Matan Oct 30 '16 at 10:15
  • 1
    I just recently upgraded to Sierra and ran into this. The default `/etc/sudoers` file has changed fairly radically from El Cap. There I just dropped a one line config file into the sudoers.d directory and it "just worked". Seems things have changed. I'll report back if I get anymore info. – Mark Edington Jul 12 '17 at 04:02
  • Maybe just execute one of the macOS root permissions exploits instead ;) – sudo Jul 19 '18 at 18:10
  • 1
    That defeats the whole point of sudo – Matthew Barclay Jun 14 '19 at 03:05
  • 1
    I know this question is old but to anyone who is reading this: NEVER ENABLE `sudo` WITHOUT PASSWORD. This is probably the single most dangerous thing a person can ever do to their computer. Why is no one moderating here? IMHO this question and all answers below should include a short caveat saying something like "Do this at your own risk, this will make your computer extremely vulnerable to hacking and viruses." – ed9w2in6 Jan 19 '21 at 14:56
  • 2
    @ed9w2in6 It's common to enable sudo access without a password for service accounts that is used to maintain a fleet of computers. For example, CI/CD systems may install dependencies on macOS build agents, and configuration management systems may run commands to "patch" the operating system. – bloudraak Apr 16 '22 at 18:23
  • @ed9w2in6 - it all depends on what that access can reach and what other layers of security are applied. There's always a why for everything. You still have to get into the other non-sudo user to get in anyway, and the machine may be on an internal network. Security is always a trade-off and a combination of things. It's just not true to make a blanket statement that you should never enable sudo without password. I do it routinely. Also, everyone should be using everything on stack exchange at their own risk. There's no guarantees for anything here. – NeilG May 01 '22 at 04:51
  • Well I had never pictured macOS to be used as an CI/CD system, which can be one good use case of a no password sudo. I agree that NEVER is indeed a strong word, SHOULD is probably a better choice of word. In such cases it is also probably better to only whitelist certain commands. – ed9w2in6 May 03 '22 at 15:26

5 Answers5

95

Open a terminal, run sudo visudo

Edit the line:

%admin ALL=(ALL) ALL

To say:

%admin ALL=(ALL) NOPASSWD: ALL

Now, you should now be able to run sudo without password.

nohillside
  • 92,308
  • 39
  • 198
  • 242
steoleary
  • 1,051
  • 7
  • 4
18

Better not to edit /etc/sudoers directly. Instead, the /etc/sudoers file does include a line:

## Read drop-in files from /private/etc/sudoers.d
## (the '#' here does not indicate a comment)
#includedir /private/etc/sudoers.d

So better simply add an empty file under /private/etc/sudoers.d/mysudo and use visudo to fill it with a content like:

mylogin            ALL = (ALL) NOPASSWD: ALL

Remember to always run sudo visudo after creating the empty file under /private/etc/sudoers.d/ so that visudo also checks for syntax on that file, or else you might end up with a broken sudo configuration and the inability to run visudo to fix it.

You have been warned

kali
  • 181
  • 1
  • 2
  • I was forced to do this on latest OS of mac, it wouldn't let me update sudoers file, kept saying invalid. Thanks! – cmac Sep 17 '20 at 22:14
7
root ALL=(ALL) ALL
%admin ALL=(ALL) NOPASSWD: ALL

stens ALL = (ALL) NOPASSWD: ALL # my userid is stens
Ville
  • 123
  • 5
Scott Stensland
  • 281
  • 4
  • 9
4

Execute the terminal whoami command to find your username (also known as ldapname).

> whoami

Chase that with executing the command below (be comfortable using VI/VIM before proceeding).

> sudo visudo -f /private/etc/sudoers.d/sudogo

NOTE1: The -f syntax will permit you to specify an alternate sudoers file location. With this option, visudo will edit (or check) the sudoers file of your choice, instead of the default, /etc/sudoers. The lock file used is the specified sudoers file with ".tmp" appended to it. In check-only mode only, the argument to -f may be -, indicating that sudoers will be read from the standard input.

NOTE2/WARNING: You could have created a file named "nopw" in place of sudogo. However, hackers are slick and will look for the letters "PW" (abbreviation for password). Feel free to change "sudogo" to something different, logical, and safe. Be aware that an extension was not added to the end of the file; It is not required.

An example is posted below. Activate insert mode with i, copy both lines posted below into the blank file. Substitute INSERT_USERNAME for ldapname. Hit escape, save and quit the file with :wq from command mode.

# user(s) below can can run any script on this machine
INSERT_USERNAME        ALL = (ALL) NOPASSWD: ALL

Execute sudo visudo (-f and path omitted) one final time. The command will open the sudoers file and check the changes. Proceed to type :q! to exit /etc/sudoers without saving changes.

> sudo visudo
Danny
  • 41
  • 1
2

Try setting NOPASSWD on the root user. In /etc/sudoers

root            ALL = (ALL) NOPASSWD: ALL
Dave Snyder
  • 129
  • 3