Bee Careful With Sudo

02 Mar 2023 8:39 PM    macos sudo shell nixos
convert to local time zone

The first time you use sudo on a macOS system (it’s probably been so long you don’t even remember it!), you’re presented with the following dialog:

WARNING: Improper use of the sudo command could lead to data loss
or the deletion of important system files. Please double-check your
typing when using sudo. Type "man sudo" for more information.

To proceed, enter your password, or type Ctrl-C to abort.

and a password prompt.

One of my friends has this prompt set up:

Obviously, I had to set it up.

This message is called the “sudoers lecture”, and by default it’s shown once per user account. The default lecture is located at /etc/sudo_lecture.

They use NixOS, so it’s really easy to configure the message and the desired behavior. Add the following to your /etc/nixos/configuration.nix (or somewhere in your flake, etc.):

security.sudo.extraConfig = ''
  Defaults pwfeedback
  Defaults lecture = always
  Defaults lecture_file = ${./sudoers.txt}
'';

and put the new sudoers lecture file in that directory as sudoers.txt.¹

macOS

But we’re on macOS, so because it’s not a declarative operative system, we’ve gotta do some manual configuration.

Grab that same new sudoers lecture file.² I saved it to /etc/sudo_lecture_bee so that I didn’t overwrite the default message, but you could just overwrite the message. Then you need to edit /etc/sudoers to have the following contents

Defaults	lecture_file = "/etc/sudo_lecture_bee"
Defaults    lecture=always
Defaults    pwfeedback

You should use visudo for this! If you screw up your sudoers file, you won’t be able to sudo… including to fix the sudoers file itself. So sudo visudo, and then include those lines. Note that the last line is optional, but this way you can see * being typed when you’re putting in your password.

They try sudo -k and then sudo -v. You should get the prompt!