How to execute a command with admin privileges and access to files of the logged in user?

macos sudo privileges

103,260

Solution 1

sudo always requires the executing user's password (and requires that you have specific permissions to do this, i.e. are one of the sudoers).

su requires the password of the target account (root by default, but root account has no password on OS X by default). If you use su instead, you can enter the destination account's password and execute a command using that user's privileges.

su -c some_cmd # as root
su username -c some_cmd # as username

^{This works by passing all arguments after the user name to the destination account's login shell. Shells usually support -c <commands> arguments. In GNU coreutils su, there's an actual -c command argument to su that can be placed before the user name.}

You can su to another user account (using the other user account's password), and sudo from there, provided that other account is a sudoer.

If you want neither to enter another account's password, nor give your regular account sudoers permissions, you're pretty much out of options unless you consider SSH with key authentication or something like that.

Solution 2

Unless you really "need" to maintain a separate root user on Mac OS X, it's often much easier to just get a root shell using sudo -s

In your case, non-admin users are not included in /etc/sudoers - so you would have to add by hand the users/groups you intend to have sudo accept.

# User privilege specification
root    ALL=(ALL) ALL
%admin  ALL=(ALL) ALL

Once that's done, sudo will inherits almost all of the nice things from your shell like PATH and other variables, but elevates your non-admin user instantly to root. The downside of enabling root is time and the security risk of someone actually logging in locally or remotely as root.

Keep in mind, sudo is asking for the password of the user that logged in to the loginwindow screen. su - wants the password of the root account, sudo -s uses privilege escalation to use the current user's password to become root without needing any (or in your case, the actual) root password.

Solution 3

If you are using a standard account (usually for security reasons) and you know an administrator username and password, you can do su -l admin_user. After entering the password, you are now, for all effects, acting as that administrator. Then you can sudo to your heart's content. Now, just logout to go back to your original plain account.

103,260

robertj

Updated on September 18, 2022

Comments

robertj almost 2 years

I have some problems understanding sudo. I am logged in on a terminal as an non-admin/non-root user. This "normal" user is not in the sudoers file (and shouldnt be, in my opinion).

Now I try to execute a command that needs admin/root privileges and also access to directories of my normal user – therefore I am not able to simply su into an admin or root user.

In my understanding sudo -u root should do the trick – however it doesn't accept the password for root (or admin if I try with my normal admin user). It only accepts the password of the "normal" user which seems to indicate that the -u username option doesn't work the way I expect it to work.

My expectation is that sudo -u root some_command executes some_command with the privileges of root and therefore it asks also for the password of root. Obviously not.

TL;DR: How do I execute any command that requires admin privileges AND has access to the files of the "logged in (normal) user" without adding the normal user to the sudoers file?

I have enabled the root user under Mac OS X 10.7.
robertj almost 13 years

Hi, thanks for the answer. I am not sure if I do understand you correct. As far as I can tell if I su into root I will loose access to the files of the initially logged in user - however this is exactly what I need. Let me be more concrete: I am using npm (node package manager) to install a self written package into the global package registry on my machine. For this to do i need access to "/usr/local/lib/node_modules/..." which the loggedin user (let say "robert") doesnt have. The package resides in "~/my_package". su doesnt help as it has no access to this folder (next comment)
robertj almost 13 years

and adding "robert" to the sudoers file seems like total overkill to me.
Motsel about 11 years

I'm running OS X 10.8.3 and 'su -c' is not recognized as a valid option for me...: "su: illegal option -- c"
Motsel about 11 years

Thanks! Is it also possible to combine this with sudo AND only have to type in the (same) password 1 time? Something like this: su username -c 'sudo some_cmd'
HikeMike about 11 years

@Daps0l Not that I know of, except by allowing username to run some_cmd as root all the time (look for NOPASSWD in man sudoers). (If the down vote I received for this answer is yours, I'd appreciate if you could undo that)
cuskus almost 8 years

This solved my problem: superuser.com/a/1021174/622740
solgar over 7 years

Sudo doesn't always require password. Calling sudo updates timestamp and allows to run sudo without giving password for a couple of minutes (this varies between OSes).