Yes, it happens for everyone. Updates overwrite the file. TJ Luoma has a longer discussion of it and wrote a script that makes the changes.
There can be a permissions change to the file, depending on how you edit it. /etc/pam.d/sudo is owned by user root and group wheel. By default, it has permissions
-r--r--r--
If I make the change to the file in BBEdit, it changes the permissions to
-r--r--r--@
where the @ means extended attributes have been added to the file. In this case, it’s a text encoding attribute. The permissions change doesn’t seem to affect the behavior of the setting, but it can be removed by
It’s a cool feature, for sure, but personally I’d lean towards thinking through if you should be using sudo on your Mac often enough to need it. I’ve found that the only time I really need sudo is when I’m setting up a new Mac and installing Homebrew.
I’ll bet the guys often using the sudo command know what they are doing and aren’t using it more often than they need to.
It depends on your approach to a Mac. Many Mac users never need or use sudo and appreciate that macOS insulates them from the need to deal with their Mac as a UNIX machine.
But others spend time at a terminal prompt and appreciate convenience in that experience also.
For anything systemwide or dealing with configs in the terminal, it’s sudo.
update MacTeX: sudo tlmgr update --all
I use MacPorts a lot: sudo port selfupdate;sudo port upgrade outdated;sudo port reclaim;sudo port uninstall leaves;sudo port clean installed;sudo port reclaim
and so on
But, I agree, no need to use the shell at all. Then you will never see or use sudo. Which also applies to many modern Linux distributions.
I rarely use sudo on my Mac, but I use it frequently on my VPS. I have been mulling for a while if there is a way to have local Touch ID provide the password via the SSH session.
Just use SSH keys. Way more secure than username/password.
If you have the same username on your Mac and VPS:
generate a secret/public key pair with: ssh-keygen -t rsa -b 4096 (RSA 4096 is secure. But we are moving towards EdDSA. In that case: ssh-keygen -t ed25519 -a 100). Leave “passphrase” empty.
copy the public key to your VPS with: ssh-copy-id username@servername
That’s a good use case for sudo, but there might be a different way to do it once like sudo chown -R my_username /usr/local/ or wherever you are installing MacTex to. Or, follow the instructions here to install to your ~/Library. I don’t use TeX anymore so I can’t say for sure.
I’d suggest moving to Homebrew. Again, run sudo once to get it set up, then you never have to run it again because your username owns the directory all your packages are installed to. brew list | wc -l on my MBP says I’ve got 52 packages installed that I use every day.
But, I agree, no need to use the shell at all. Then you will never see or use sudo. Which also applies to many modern Linux distributions.
Not quite what I was getting at, but yes, most folks will never open the terminal. Is it finally The Year of Linux on the Desktop?
Anyway! To each their own. I of all people understand finding a workflow that works for you and sticking with it.
Well, if you are brave you can always sudo su -, that’ll give you a root shell, then set your username to not need a password to use sudo in vi sudoers. But, eh, caveat emptor.
At the risk of extending a thread that seems to have reached its natural conclusion, I’m going open my mouth and say that too much emphasis is put on the dangers of sudo—for single-user machines, at least.
Not that sudo isn’t dangerous. But the really valuable stuff on my computer is in my home directory, and I can destroy that without any superuser privileges.
I do use keys for ssh to the VPS and now have 1Password providing the agent for that. It’s glorious. But my point was about sudo on the VPS. When I need that (reasonably often), I have to type my VPS account’s password. I know it really well and can type it flawlessly about 85% of the time, but those 15% make me want to be able to just use biometrics.
Sorry, got it wrong. For non-critical stuff, i just disable the password request for sudo.
root login is disabled
username/password disabled, only strong SSH key
then it really doesn’t matter if sudo is password-less (virtual instances running Homebridge, Plex, etc.). If anybody goes beyond the SSH key login…feel free to reconfigure my lamps.