macos-13 fails with sudo: a terminal is required to read the password

[JarLob]

Description

The run fails with sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper

The script does:

sudo sysadminctl -addUser mitmproxyuser -admin
sudo cp mitm_plugin.py /Users/mitmproxyuser/mitm_plugin.py

It works on macos-11 and macos-12 most probably because /etc/sudoers used to contain runner ALL=(ALL) NOPASSWD: ALL, but not in macos-13

Platforms affected

• Azure DevOps
• GitHub Actions - Standard Runners
• GitHub Actions - Larger Runners

Runner images affected

• Ubuntu 20.04
• Ubuntu 22.04
• macOS 11
• macOS 12
• macOS 13
• Windows Server 2019
• Windows Server 2022

Image version and build link

20230611.2

Is it regression?

yes, macos-12, https://github.com/GitHubSecurityLab/actions-permissions/actions/runs/5678918868/job/15390694634

Expected behavior

No error.

Actual behavior

fails with sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper

Repro steps

sudo sysadminctl -addUser mitmproxyuser -admin
sudo cp mitm_plugin.py /Users/mitmproxyuser/mitm_plugin.py
see https://github.com/GitHubSecurityLab/actions-permissions/actions/runs/5678918868/job/15390694453

[sergei-pyshnoi]

Hello @JarLob . Thanks for your report. We will take a look.

[ilia-shipitsin]

@JarLob ,

I added your steps

to workflow, it runs on macos-13 without any issue

https://github.com/ilia-shipitsin/sudo/actions/runs/5693244777/job/15431908696

[ilia-shipitsin]

@JarLob , I'm closing this issue (cannot repro using provided steps).
feel free to reopen if issue still persists

[JarLob]

I have minimized https://github.com/GitHubSecurityLab/actions-permissions/actions/runs/5678918868/job/15390694453 to

on:
  workflow_dispatch:

jobs:
  job1:
    strategy:
      fail-fast: false
      matrix:
        os:
        - macos-13
        - macos-latest
        - macos-11

    runs-on: ${{ matrix.os }}
    steps:
      - run: |
          sudo sysadminctl -addUser myuser -admin
          sudo -u myuser -H bash -e -c "id" 

Please see https://github.com/GitHubSecurityLab/actions-permissions/actions/runs/5856845682/job/15877437623

[ilia-shipitsin]

I added couple of lines to your repro

https://github.com/ilia-shipitsin/gh7987/blob/main/.github/workflows/blank.yml

as we can see

1. "sudo" to root works
2. user "myuser" is created with "admin" group membership (see output of "id myuser")
3. on all OSes /etc/sudoers contain %admin ALL = (ALL) ALL

looks like sudo group handling has changed in macos-13

[ilia-shipitsin]

interesting, seems we do not have runner ALL=(ALL) NOPASSWD: ALL on macos-13.
I'll check

[JarLob]

Isn't the difference between mac13 and others that it doesn't have runner ALL=(ALL) NOPASSWD: ALL in the end of sudoers?
UPD: I see, you noticed it.

[ilia-shipitsin]

as a workaround, you can add echo "runner ALL=(ALL) NOPASSWD: ALL" | sudo tee -a /etc/sudoers.d/runner

we'll add it to newly generated image (release cycle for macos-13 is not very frequent, I'd say 2-4 weeks usually between releasing updated image)

[JarLob]

Thanks. No worries. As you said a workaround is available, but the difference in mac13 would break things unexpectedly, so I have reported.

[damanm24]

I'm running into this issue when using the macos-13-arm64 image. I'm unable to use the workaround because the second command sudo tee -a /etc/sudoers.d/runner requires sudo. I also noticed that for the macos-13-arm64 image the default user is appuser, and when adjusting the workaround with appuser as the username the workaround fails to work.

@ilia-shipitsin Is there a reason why #8086 was not merged?