KISS

Keep It Simple Stupid

OSX: `sudo` with insults

| comments

I’ve had this line in my /etc/sudoers file for years:

1
Defaults insults

It enables the insults option, which prints a funny message instead of boring “Sorry, try again” when you type an incorrect password for sudo. The man page says:

If set, sudo will insult users when they enter an incorrect password. This flag is off by default.

I noticed that it stopped working quite a while ago — I don’t remember seeing the insults in OSX 10.11.6, nor now in 10.13.3.

There is an easy and straightforward explanation from this StackExchange answer: https://apple.stackexchange.com/questions/257405/how-do-i-install-sudo-insults-on-mac/257430#257430 — apple has been building sudo without this option for a while now (why?!). Here is a way to verify it:

1
2
$ sudo strings /usr/bin/sudo | fgrep -- '--with'
--with-password-timeout=0 --disable-setreuid --with-env-editor --with-pam --with-libraries=bsm --with-noexec=no --sysconfdir=/private/etc --without-lecture --enable-static-sudoers --with-rundir=/var/db/sudo

The output doesn’t contain any --with-*insults option. You will also need these options below.

The answer provides an instruction how to build your own version with the flag enabled. The steps below slightly extend the instruction, serve as a backup, and also inform you, the reader, about this possibility in case you use OSX and want to do the same.

Nota bene: Make a system backup first!

0. Manual backup

A manual backup of the binaries is useful as well:

1
2
$ sudo cp /usr/bin/sudo{,.bkp}
$ sudo cp /usr/sbin/visudo{,.bkp}

1. Prepare directory

cd into a directory where you’ll build sudo:

1
2
$ mkdir ~/src
$ cd ~/src

2. Get the source

Go to https://opensource.apple.com/ and find the link for your OSX version, say https://opensource.apple.com/release/macos-10133.html is for OSX 10.13.3. Find the sources archive for sudo, download and extract it:

1
2
$ curl -O https://opensource.apple.com/tarballs/sudo/sudo-86.tar.gz
$ tar xvzf sudo-86.tar.gz

3. Build

Configure, build, and install sudo. If you just want to enable the insults, you can paste all the original build options from the output above and add two more: --with-all-insults and --prefix=/usr, the latter says we want install everything into /usr overwriting the system sudo:

1
2
3
4
$ cd sudo-86/sudo/
$ ./configure --with-all-insults --prefix=/usr --with-password-timeout=0 --disable-setreuid --with-env-editor --with-pam --with-libraries=bsm --with-noexec=no --sysconfdir=/private/etc --without-lecture --enable-static-sudoers --with-rundir=/var/db/sudo
$ make -j
$ sudo make install

If the sudo make install command fails you need to disable the System Integrity Protection first: reload into the Recovery Mode (hold Cmd+R during boot), launch Terminal, and run csrutil disable.

4. Enable the option

If you don’t have the Defaults insults line in your /etc/sudoers yet, type sudo visudo and add it.

5. Try it

Force sudo ask you for password and see what it prints:

1
2
3
4
5
6
$ sudo --remove-timestamp
$ sudo ls /
Password:
He has fallen in the water!
Password:
We'll all be murdered in our beds!

Also note

The custom-built sudo is very likely to be overwritten on system update, when a newer sudo is installed. I haven’t come up with any automated way to monitor the binary since it should happen rather rarely. And I don’t even know it’s possible to somehow automagically patch and install custom sudo when an update brings a newer version. It would be nice to have something similar to Linux’s DKMS, which automagically rebuilds kernel modules when a new kernel is installed.

Comments