Almost two years ago I discovered that the OSX’s sudo binary doesn’t display the “insults” (see man sudoers) and wrote a post on how to fix that. Today I’d like to append that information with a helpful shell function to check if your current sudo has insults or the latest update has reverted the patched version again (of course, it did).

The function

This function is in my ~/.zshrc and was tested in zsh, it should also work in bash:

1
2
3
4
5

# Checks if the OSX sudo has insults. If it does, returns 0; otherwise prints
# the corresponding message and returns 1.
function check_sudo_with_insults() {
  [[ "$( echo "blah" | sudo -Skvp '' 2>&1 | head -1 )" != "Sorry, try again." ]] || { echo "sudo doesn't have insults"; return 1; }
}

Testing it on an unpatched system:

1
2
3
4

$ ~ check_sudo_with_insults
sudo does't have insults
$ ~ echo $?
1

Then I patch sudo and test again:

1
2
3

$ ~ check_sudo_with_insults
$ ~ echo $?
0

How does it work?

The default message for the wrong password on OSX is lame “Sorry, try again.”, so we need to test for that. I sifted through the man page and this combination of options worked great:

• -S reads the password from stdin; the password is supplied by the echo and is knowingly incorrect;
• -k resets the timestamp so that the password is required;
• -v authenticates the user, verifying the password, but not running any command;
• -p '' disables the prompt for password so that nothing except the message about the incorrect password is printed.

We redirect the stderror into stdout with 2>&1, get the first line and test if it’s the default error. If it is, we print “sudo doesn’t have insults” and exit with code 1.