Caution on macOS 10.12.4: sudo is broken, sudo hangs before password for nearly 5 minutes
See also About the macOS Sierra 10.12.4 Update.
Update: most readers report not seeing this issue MPG suspects it depends on some kind of system configuration, such as an ACL, user/group database, etc.
Bug are bugs and often depend on some factor or factors that might leave some users high and dry even as others happily snorkel along. So the trick is finding out what is causing the behavior I’m seeing on all three Macs. I thank the users who have written for not degenerating into the “works for me” ignorance mode that sometimes pops up in such situations.
Summary as of 7 April 2017:
- Apple has ignored the bug I filed for 12 days now (Apple Bug Report #31307973), pretty much what Apple does these days—no response whatsoever.
- I added notes to this discussion thread at discussions.apple.com: sudo hangs before password
- The ONLY fix that works is an erase/reinstall and manual reinstall of apps and data and reconfigure. This can take many hours for advanced users like me, with a detailed working environment
- Using Migration Assistant drags over whatever is upsetting sudo—even onto a fresh erase/install of macOS.
- No apparent issues in /etc/sudoers that would explain the issue.
- Once triggered, even a new admin user has the problem, so it is a system wide issue (not specific to one user).
... Original post ...
This bug has totally destroyed my daily workflow; I use 'sudo' dozens if not hundreds of times a day. I don’t know what I’m going to do—I may have to clone macOS 10.12.3 back over the “upgraded” system — and I cannot do that on two machines because I keep no clones (they're secondaries but I use them nonetheless).
In Terminal, using sudo hangs on all 3 Macs I was foolish enough to update to 10.12.4:
The process just hangs, rendering sudo useless. It doesn't matter what comes after sudo; any and all uses of sudo hangs. Using control-C does not recover either; the Terminal window becomes unusable. Eventually the command executes, with a 4 minute and 39 second delay:
diglloydMP:DIGLLOYD lloyd$ date; sudo date Tue Mar 28 13:44:57 PDT 2017 Tue Mar 28 13:49:36 PDT 2017 = 4 minute 39 seconds delay
Since reports of a problem surfaced two months ago, I have to wonder how a bug like this can be shipped to customers. I found a link to an alleged fix, but I am not familiar with that site, and the suggested fix is non-Apple software for 'sudo'—the idea of downloading a sudo replacement to give root access to my system makes me blanche.
In About the security content of macOS Sierra 10.12.4, Apple lists this “fix”. The alleged fix is not relevant to my usage; I am not using network directories.
Available for: macOS Sierra 10.12.3
Impact: A user in an group named "admin" on a network directory server may be able to unexpectedly escalate privileges using sudo
Description: An access issue existed in sudo. This issue was addressed through improved permissions checking.
Observations that point to a solution as yet unknown:
- Installing a brand-new 10.12.4 on a freshly erased volume does not suffer the problem.
- Installing a brand-new 10.12.4 on a freshly erased volume and then using Migration Assistant on former system brings the problem back.
So whatever macOS is doing, the bug has to be related to some stateful data, something that Migration Assistant itself brings over when migrating. Presumably it is some kind of ACL or special permissions thing somewhere on something, but what and where is hard to know.
That a brand new fresh install followed by Migration Assistant does not result in a usable system is frustrating indeed.
- On 2013 Mac Pro, rebooted into recovery mode and ran Disk Utility First Aid—no issues found. Problem remains.
- Reinstalled macOS on the iMac 5K (did not wipe out drive first, did an “install over”). Problem remains.
- Downloaded 10.12.3 combo installer; attempted to install over 10.12.4; this is not permitted.
- On iMac 5K and MacBook Pro, made a brand-new admin account and brand-new standard account, logged into each of those accounts. Problem remains, proving that it is not an account-specific or machine-specific issue.
So I went to some hours of effort to clone back macOS 10.12.3 on the Mac Pro then do a reinstall on top of that, it being my critical machine.
Only to find that macOS 10.12.4 had mangled my mail data to a new format (and what other data did it mangle?). So even now running macOS 10.12.3, Mail is now unusable. I could whack my mail with a backup from yesterday, losing an entire day’s mail. There is no way to merge easily. But what else did macOS 10.12.4 mangle? Or I can somehow put up with macOS 10.12.4. Shame on Apple for having a minor OS update mangle user data. Photos libraries are also mangled. Perhaps other things too, but by luck I used only Mail and Photos after the install.
I opted to lose a day’s mail. But to do so, I could not use Finder copy; the Finder generated errors copying, as is its wont with any large copy. I had to use Carbon Copy Cloner folder-to-folder cloning.
Other user reports
As of 29 March, two readers report no issues with sudo.
As with all bugs, there must be a cause for it to happen on all three of my Macs (Mac Pro, iMac 5K, MacBook Pro), even after a system reinstall and after creating a new user account (see what I tried, above).
Two Bonus bugs!
Bug #1 (shown below): Rebooting made this one go away, but it indicates something additional may be broken as well. This error never happened previously, only with 10.12.4.
Bug #2: Creating a new user does not show it in Users & Groups. I created a new admin user, and this user is not shown, yet the folder is right there in /Users. Nor could the new user be used to login. I had to remove it using 'sudo', which of course took 5 minutes!
Apple BugReporter filed
The last bug that I filed at Apple, it took 6 weeks to get a response. I am hoping for something quicker this time. Apple Bug Report #31307973.
Status +14 days: it took Apple 15 calendar days to even look at the bug (April 13 vs March 28), with this result: Duplicate of 30585368 (Open). Maybe Apple has so many bugs that it takes 2 weeks even to look at a new bug?
Searching for 30585368 in BugReporter, no such bug can be found (“No problems were found that match the search criteria”). Well, that’s frustrating.