The sudo hang problem literally cost me days of wasted time. I had to laboriously revert my 2013 Mac Pro to 10.12.3, no trivial thing given the data loss of losing email, since Apple mangles mail as part of “upgrading” in a minor release. I spent many more hours doing a complete manual erase/reinstall/restore data/apps/config on my MacBook Pro.
I could not find a solution prior to leaving on a weeklong trip, but I have now returned and finally narrowed down the cause to a single line in in /etc/sudoers. How that line got there I do not know (I never added it). Perhaps a remnant from bygone days. The fix confirms my original theory of it being some configuration issue.
This fix worked for the iMac 5K and the Mac Pro, so it is not machine-specific.
For security reasons it is a bad idea to just paste some replacement /etc/sudoers file without understanding it in full, so I did not want to do that. Instead I went sleuthing, commenting out lines until I found the problem line or lines.
It turns out that one line in /etc/sudoers was causing sudo to hang on the 2015 iMac 5K and 2015 MacBook Pro:
%users ALL= NOPASSWD: /sbin/kextload, /sbin/kextunload <=== responsible for sudo hang
Comment it out like this, and all is well:
# %users ALL= NOPASSWD: /sbin/kextload, /sbin/kextunload <== comment out and all is well
Why was that line there? I don’t know, and I do not recall ever adding it. That this problematic line was there as long ago as July 2013 (nearly 4 years ago!) can be see in Extending the 'sudo' Timeout. So clearly Apple changed and broke something, since nothing had gone wrong until 10.12.4.
As a precaution, since the presence of that line is odd, I validated all my kernel extensions. I found one or two not code signed (printer drivers, old Accelsior driver), but nothing amiss. Look for "signed" to find unsigned kext in the output from this command in Terminal:
kextutil -entZ /System/Library/Extensions/*.kext /Library/Extensions/*.kext
Fresh 'stock' sudoers file
I highly recommend TextWrangler and BBEdit (free 30 day trial), they are among my most-used tools. I actually prefer the free TextWrangler for its greater simplicity, but it is being sunsetted in favor of BBEdit.
This file is an unmodified version of what macOS 10.12.4 installs on a fresh erase/install. To use it, open /etc/sudoers using TextWrangler (it shows hidden files in its Open dialog), and then select-all / delete / paste this file and save.
Copy this text and paste into a plain-text window first (in order to make sure nothing is added or lost or changed after copying from this web page). Lines that begin with a # are harmless comments.
#-------------------- use contents below -------------------- # # Sample /etc/sudoers file. # # This file MUST be edited with the 'visudo' command as root. # # See the sudoers man page for the details on how to write a sudoers file.
## # Override built-in defaults ## Defaults env_reset,timestamp_timeout=120 Defaults env_keep += "BLOCKSIZE" Defaults env_keep += "COLORFGBG COLORTERM" Defaults env_keep += "__CF_USER_TEXT_ENCODING" Defaults env_keep += "CHARSET LANG LANGUAGE LC_ALL LC_COLLATE LC_CTYPE" Defaults env_keep += "LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME" Defaults env_keep += "LINES COLUMNS" Defaults env_keep += "LSCOLORS" Defaults env_keep += "SSH_AUTH_SOCK" Defaults env_keep += "TZ" Defaults env_keep += "DISPLAY XAUTHORIZATION XAUTHORITY" Defaults env_keep += "EDITOR VISUAL" Defaults env_keep += "HOME MAIL"
Defaults lecture_file = "/etc/sudo_lecture" ## # User alias specification ## # User_Alias FULLTIMERS = millert, mikef, dowdy
## # Runas alias specification ## # Runas_Alias OP = root, operator
## # Host alias specification ## # Host_Alias CUNETS = 188.8.131.52/255.255.0.0 # Host_Alias CSNETS = 184.108.40.206, 220.127.116.11/24, 18.104.22.168 # Host_Alias SERVERS = master, mail, www, ns # Host_Alias CDROM = orion, perseus, hercules
## # Cmnd alias specification ## # Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
## # User specification ##
# root and users in group wheel can run anything on any machine as any user root ALL = (ALL) ALL %admin ALL = (ALL) ALL
## Read drop-in files from /private/etc/sudoers.d ## (the '#' here does not indicate a comment) #includedir /private/etc/sudoers.d #-------------------- use contents above --------------------