On macOS, many system-level operations require elevated privileges that your normal user account does not have. The sudo command (short for “superuser do”) lets you run commands with root-level access from the Terminal. This guide covers basic and advanced sudo usage, the sudoers configuration file, enabling Touch ID for sudo authentication, and macOS-specific security considerations.
Basic sudo Usage
Running a Single Command as Root
Prefix any command with sudo to run it with root privileges:
# Install a package with Homebrew (some operations need sudo)
sudo installer -pkg /path/to/package.pkg -target /
# Edit a system configuration file
sudo nano /etc/hosts
# Change file ownership
sudo chown root:wheel /usr/local/bin/myapp
# Restart a system service
sudo launchctl kickstart -k system/com.apple.mDNSResponderWhen you run sudo for the first time in a terminal session, macOS prompts you for your user password. After authentication, sudo remembers your credentials for 5 minutes (configurable), so subsequent sudo commands within that window do not require re-authentication.
Opening an Elevated Shell
If you need to run multiple commands with root privileges:
# Open a root shell (preserves your environment)
sudo -s
# Open a root login shell (loads root's environment)
sudo -i
# Exit the root shell when done
exitWhile in a root shell, every command runs with full system privileges. Be cautious — there are no safety nets for commands like rm -rf.
Running a Command as a Different User
# Run a command as a specific user
sudo -u _www /usr/bin/some-command
# Open a shell as a different user
sudo -u another_user -sCommon sudo Commands on macOS
System Administration
# Flush the DNS cache
sudo dscacheutil -flushcache
sudo killall -HUP mDNSResponder
# Restart networking
sudo ifconfig en0 down
sudo ifconfig en0 up
# Show listening ports
sudo lsof -iTCP -sTCP:LISTEN -P
# Repair disk permissions (macOS El Capitan and earlier)
sudo diskutil repairPermissions /
# Start/stop/restart services via launchctl
sudo launchctl load /Library/LaunchDaemons/com.example.myservice.plist
sudo launchctl unload /Library/LaunchDaemons/com.example.myservice.plistFile System Operations
# Write to a protected directory
sudo cp myfile.conf /etc/
# Edit protected files
sudo nano /etc/apache2/httpd.conf
sudo vim /etc/ssh/sshd_config
# Change permissions on system files
sudo chmod 644 /etc/hostsPackage and Software Management
# Install Xcode command line tools
sudo xcode-select --install
# Accept Xcode license
sudo xcodebuild -license accept
# Install a .pkg file
sudo installer -pkg /path/to/package.pkg -target /Understanding the sudoers File
The /etc/sudoers file controls who can use sudo and what they can do with it. On macOS, the default configuration allows members of the admin group to run any command via sudo.
Viewing the sudoers File
# Always use visudo to edit sudoers (validates syntax)
sudo visudo
# View without editing
sudo cat /etc/sudoersNever edit /etc/sudoers directly with a text editor. Always use visudo, which validates the syntax before saving. A syntax error in this file can lock you out of sudo entirely.
Default macOS sudoers Configuration
The key line in the macOS sudoers file is:
%admin ALL=(ALL) ALLThis means: any member of the admin group (%admin) can run any command (ALL) as any user (ALL) on any host (ALL).
Adding Custom sudoers Rules
For more granular control, add rules to /etc/sudoers.d/ rather than editing the main file:
# Create a custom sudoers rule file
sudo visudo -f /etc/sudoers.d/custom-rulesExample rules:
# Allow a user to restart Apache without a password
john ALL=(root) NOPASSWD: /usr/sbin/apachectl restart
# Allow a group to run specific commands
%developers ALL=(root) NOPASSWD: /usr/local/bin/deploy.sh
# Allow a user to run any command without a password (use with caution)
jane ALL=(ALL) NOPASSWD: ALLChanging the sudo Timeout
By default, sudo remembers your password for 5 minutes. To change this:
sudo visudoAdd or modify:
Defaults timestamp_timeout=15Set to 0 to require a password every time, or -1 to never expire within a session.
Touch ID for sudo
On Macs with Touch ID, you can authenticate sudo with your fingerprint instead of typing your password.
macOS Sonoma and Later
Starting with macOS Sonoma, Apple provides a dedicated file for Touch ID sudo configuration:
# Create or edit the sudo_local file
sudo nano /etc/pam.d/sudo_localAdd this line:
auth sufficient pam_tid.soSave the file. The next time you use sudo in Terminal, you will be prompted with Touch ID.
Older macOS Versions
On versions before Sonoma, edit the main sudo PAM configuration:
sudo nano /etc/pam.d/sudoAdd auth sufficient pam_tid.so as the first line:
auth sufficient pam_tid.so
auth sufficient pam_smartcard.so
auth required pam_opendirectory.so
account required pam_permit.so
password required pam_deny.so
session required pam_permit.soNote: On older macOS versions, system updates may overwrite /etc/pam.d/sudo and you will need to re-add the Touch ID line. The sudo_local approach on Sonoma persists across updates.
Touch ID in iTerm2 and Third-Party Terminals
Some terminal emulators may not support Touch ID for sudo by default. In iTerm2:
- Go to Preferences > Advanced
- Search for “Allow sessions to survive logging out and back in”
- Set to No
This ensures the PAM session is correctly passed through for Touch ID.
macOS-Specific Security Considerations
System Integrity Protection (SIP)
macOS has System Integrity Protection enabled by default. Even with sudo/root access, certain directories and operations are protected:
/System,/usr(except/usr/local), and/sbinare read-only- You cannot modify system binaries or kernel extensions
- Certain system processes cannot be attached to or modified
To check SIP status:
csrutil statusDo not disable SIP unless you have a specific, temporary need and understand the security implications.
Gatekeeper and Notarization
Running unsigned or unnotarized software may require additional steps even with sudo:
# Remove quarantine attribute from a downloaded app
sudo xattr -r -d com.apple.quarantine /Applications/SomeApp.app
# Allow apps from identified developers
sudo spctl --master-enableThe Root User Account
macOS has a root user account that is disabled by default. You can enable it, but this is generally not recommended:
To enable (not recommended):
- Go to System Settings > Users & Groups
- Click Edit next to Network Account Server (or open Directory Utility)
- Go to Edit menu > Enable Root User
- Set a strong password
It is safer to use sudo than to enable and log in as root. With sudo, you have an audit trail of which user ran which privileged command.
Managing Admin Users
Checking Admin Group Membership
# Check if a user is in the admin group
dseditgroup -o checkmember -m username admin
# List all admin users
dscl . -read /Groups/admin GroupMembershipGranting Admin Access
Via System Settings:
- Open System Settings > Users & Groups
- Click the info button (i) next to the user account
- Toggle Allow user to administer this computer
Via command line:
# Add a user to the admin group
sudo dseditgroup -o edit -a username -t user admin
# Remove a user from the admin group
sudo dseditgroup -o edit -d username -t user adminSummary
The sudo command is the standard way to run commands with elevated privileges on macOS. Use sudo for individual commands and sudo -s or sudo -i for interactive root shells. Configure the sudoers file with visudo for custom access rules, and enable Touch ID for sudo on supported Macs by editing /etc/pam.d/sudo_local. Remember that macOS System Integrity Protection limits what even root can do, which is by design for security. Always prefer sudo over enabling the root account, as it provides accountability and can be configured with fine-grained permissions.