Newly In Stock: SEE ALL...
Sony Mirrorless wish list • Deals on Sony
$2997 Nikon Z7 II Mirrorless Camera OUT OF STOCK in Cameras: Mirrorless	$2297 Nikon D780 DSLR OUT OF STOCK in Cameras: DSLR	$2997 Nikon D850 DSLR OUT OF STOCK in Cameras: DSLR	$720 ZEISS 32mm f/1.8 Touit Lens for FUJIFILM X OUT OF STOCK in Lenses: Mirrorless	$497 Pentax 70mm f/2.4 HD Pentax DA Limited IN STOCK in Lenses: DSLR

Highly Recommended!
External SSD wish list • Deals on OWC
$220 SAVE $130 = 37.0% Western Digital 16.0TB Western Digital Ultrastar DC HC550 3.5-in… in Storage: Hard Drives	$680 OWC 2.0TB OWC Atlas Ultra CFexpress 4.0 Type B Memory Card in All Other Categories	$580 OWC 4.0TB OWC Envoy Pro Elektron USB-C Portable NVMe SSD in All Other Categories	$630 OWC 4.0TB OWC Express 1M2 USB4 (40Gb/s) Bus-Powered Portable NVM… in All Other Categories	$2380 OWC 72.0TB OWC ThunderBay 4 Four-Drive Thunderbolt External Stor… in All Other Categories

Solution for sudo hang problem in macOS 10.12.4

2017-04-07 • SEND FEEDBACK |

Related: Apple, Apple Core Rot, Apple macOS, command line, sudo, Terminal.app

See Caution on macOS 10.12.4: sudo is broken, sudo hangs before password for nearly 5 minutes.

The sudo hang problem literally cost me days of wasted time. I had to laboriously revert my 2013 Mac Pro to 10.12.3, no trivial thing given the data loss of losing email, since Apple mangles mail as part of “upgrading” in a minor release. I spent many more hours doing a complete manual erase/reinstall/restore data/apps/config on my MacBook Pro.

I could not find a solution prior to leaving on a weeklong trip, but I have now returned and finally narrowed down the cause to a single line in in /etc/sudoers. How that line got there I do not know (I never added it). Perhaps a remnant from bygone days. The fix confirms my original theory of it being some configuration issue.

The fix

This fix worked for the iMac 5K and the Mac Pro, so it is not machine-specific.

For security reasons it is a bad idea to just paste some replacement /etc/sudoers file without understanding it in full, so I did not want to do that. Instead I went sleuthing, commenting out lines until I found the problem line or lines.

It turns out that one line in /etc/sudoers was causing sudo to hang on the 2015 iMac 5K and 2015 MacBook Pro:

%users ALL= NOPASSWD: /sbin/kextload, /sbin/kextunload <=== responsible for sudo hang

Comment it out like this, and all is well:

# %users ALL= NOPASSWD: /sbin/kextload, /sbin/kextunload <== comment out and all is well

Why was that line there? I don’t know, and I do not recall ever adding it. That this problematic line was there as long ago as July 2013 (nearly 4 years ago!) can be see in Extending the 'sudo' Timeout. So clearly Apple changed and broke something, since nothing had gone wrong until 10.12.4.

As a precaution, since the presence of that line is odd, I validated all my kernel extensions. I found one or two not code signed (printer drivers, old Accelsior driver), but nothing amiss. Look for "signed" to find unsigned kext in the output from this command in Terminal:

kextutil -entZ /System/Library/Extensions/*.kext /Library/Extensions/*.kext

Fresh 'stock' sudoers file

I highly recommend TextWrangler and BBEdit (free 30 day trial), they are among my most-used tools. I actually prefer the free TextWrangler for its greater simplicity, but it is being sunsetted in favor of BBEdit.

This file is an unmodified version of what macOS 10.12.4 installs on a fresh erase/install. To use it, open /etc/sudoers using TextWrangler (it shows hidden files in its Open dialog), and then select-all / delete / paste this file and save.

Copy this text and paste into a plain-text window first (in order to make sure nothing is added or lost or changed after copying from this web page). Lines that begin with a # are harmless comments.

#-------------------- use contents below --------------------
#
# Sample /etc/sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.

##
# Override built-in defaults
##
Defaults	env_reset,timestamp_timeout=120
Defaults	env_keep += "BLOCKSIZE"
Defaults	env_keep += "COLORFGBG COLORTERM"
Defaults	env_keep += "__CF_USER_TEXT_ENCODING"
Defaults	env_keep += "CHARSET LANG LANGUAGE LC_ALL LC_COLLATE LC_CTYPE"
Defaults	env_keep += "LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME"
Defaults	env_keep += "LINES COLUMNS"
Defaults	env_keep += "LSCOLORS"
Defaults	env_keep += "SSH_AUTH_SOCK"
Defaults	env_keep += "TZ"
Defaults	env_keep += "DISPLAY XAUTHORIZATION XAUTHORITY"
Defaults	env_keep += "EDITOR VISUAL"
Defaults	env_keep += "HOME MAIL"

Defaults	lecture_file = "/etc/sudo_lecture"
##
# User alias specification
##
# User_Alias	FULLTIMERS = millert, mikef, dowdy

##
# Runas alias specification
##
# Runas_Alias	OP = root, operator

##
# Host alias specification
##
# Host_Alias	CUNETS = 128.138.0.0/255.255.0.0
# Host_Alias	CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
# Host_Alias	SERVERS = master, mail, www, ns
# Host_Alias	CDROM = orion, perseus, hercules

##
# Cmnd alias specification
##
# Cmnd_Alias	PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less

##
# User specification
##

# root and users in group wheel can run anything on any machine as any user
root		ALL = (ALL) ALL
%admin		ALL = (ALL) ALL

## Read drop-in files from /private/etc/sudoers.d
## (the '#' here does not indicate a comment)
#includedir /private/etc/sudoers.d
#-------------------- use contents above --------------------