Restore nopasswd sudo rule on Mac OS X.

This seems to be missing from some (but not all) github runners, so
restore it if it seems to be missing.

.github/setup_ci.sh

@@ -29,18 +29,30 @@ TARGETS=$@
 INSTALL_FIDO_PPA="no"
 export DEBIAN_FRONTEND=noninteractive
 
-set -ex
+set -e
 
 if [ -x "`which lsb_release 2>&1`" ]; then
 	lsb_release -a
 fi
 
-# Ubuntu 22.04 defaults to private home dirs which prevent the
-# agent-getpeerid test from running ssh-add as nobody.  See
-# https://github.com/actions/runner-images/issues/6106
-if [ ! -z "$SUDO" ] && ! "$SUDO" -u nobody test -x ~; then
-	echo ~ is not executable by nobody, adding perms.
-	chmod go+x ~
+if [ ! -z "$SUDO" ]; then
+	# Ubuntu 22.04 defaults to private home dirs which prevent the
+	# agent-getpeerid test from running ssh-add as nobody.  See
+	# https://github.com/actions/runner-images/issues/6106
+	if ! "$SUDO" -u nobody test -x ~; then
+		echo ~ is not executable by nobody, adding perms.
+		chmod go+x ~
+	fi
+	# Some of the Mac OS X runners don't have a nopasswd sudo rule. Regular
+	# sudo still works, but sudo -u doesn't.  Restore the sudo rule.
+	if ! "$SUDO" grep  -E 'runner.*NOPASSWD' /etc/passwd >/dev/null; then
+		echo "Restoring runner nopasswd rule to sudoers."
+		echo 'runner ALL=(ALL) NOPASSWD: ALL' |$SUDO tee -a /etc/sudoers
+	fi
+	if ! "$SUDO" -u nobody -S test -x ~ </dev/null; then
+		echo "Still can't sudo to nobody."
+		exit 1
+	fi
 fi
 
 if [ "${TARGETS}" = "kitchensink" ]; then