[sudo-users] Strange behavior on macOS 12.0.1 (21A559)

Benjamin Burke benjaminburke at me.com
Fri Nov 12 02:21:56 MST 2021 

Hello list,

I'm seeing some strange behavior with sudo and I'm wondering if anyone has seen this before or has some suggested troubleshooting steps that I should try before I make a bug report to this project and/or apple.

I have two intel macbooks running with the latest version of macOS 12.0.1 (21A559). One of them has this problem and the other does not. The problem is that sudo doesn't prompt for a password but it acts like it has -- it acts like it has received several invalid password attempts. This happens immediately.

% sudo date
Sorry, try again.
Sorry, try again.
sudo: 3 incorrect password attempts

% sudo -A date     
Sorry, try again.
Sorry, try again.
sudo: 3 incorrect password attempts

This is interesting because on the computer with working sudo the above results in the error:
"sudo: no askpass program specified, try setting SUDO_ASKPASS"

% sudo -V
Sudo version 1.9.5p2
Sudoers policy plugin version 1.9.5p2
Sudoers file grammar version 48
Sudoers I/O plugin version 1.9.5p2
Sudoers audit plugin version 1.9.5p2
% which sudo       
/usr/bin/sudo
% stat /usr/bin/sudo 
16777220 1152921500312808744 -r-s--x--x 1 root wheel 0 1217168 "Oct 18 05:30:38 2021" "Oct 18 05:30:38 2021" "Oct 18 05:30:38 2021" "Oct 18 05:30:38 2021" 4096 1160 0x80020 /usr/bin/sudo
# shasum -a 256 /usr/bin/sudo
fa6d5f2fc917852b87e33dbc30226aef316f0c7d206f770b2667d1c25ab7e38b  /usr/bin/sudo

All of the above are the same on both computers.

I can rule out several things:

* I'm running the real sudo command, not an alias, shell function, or other item in my path
* Stdin is a tty, not a closed file
* There's no sudo.conf
* sudoers is unchanged
* the user is an administrator of the computer and appears in the correct groups
* Running from a filtered environment doesn't fix it: "env - PATH=/bin:/usr/bin /bin/sh" then "/usr/bin/sudo date" has the same problem
* On the broken computer I can still use applescript to get a root shell:

osascript -e 'do shell script "/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal" with administrator privileges'

With the above I get a gui-based password prompt then a terminal running as root. This should further confirm that the user has the correct administrator status.

I do have to admit that there are things on both these computers which could in theory complicate this issue. I use yubikeys on both, with opensc for piv-based ssh. I have also paired the yubikeys to macos so I can typically authenticate with the yubikey and a macos pin prompt. But again, both computers are the same in this respect and one has no issues with sudo.

I tried dtrace / dtruss on the pid of the shell (with the "follow children" option enabled) then I invoke sudo in that shell. The result didn't produce anything that jumped out to me like a syscall with an error.

The version of sudo used in macos 12 has not hit apple's open source site yet. I glanced at the macOS 11 version and I'm not sure if we're reaching the sudo_conversation function.

Any thoughts on what I should try?

Thanks,
Ben Burke

More information about the sudo-users mailing list