How to give passwordless sudo through automated script

Question

Anyone who has used Multipass or AWS is familiar with the ubuntu user who has passwordless sudo access. I am launching multiple virtual machines via multipass each with many users and I want passwordless sudo for their accounts for two reasons

They can only login with their public/private and not a username/password so they can't type in a password for sudo if they don't have one
Developers need to be able to call sudo apt-get

I am aware that I can issue the command sudo visudo and make some changes to provide passwordless sudo, however, this requires human interaction. I tried hacking this with sed (sudo sed -i "s/%admin\s*ALL=(ALL)\s*ALL/%admin ALL=(ALL) NOPASSWD:ALL/g" /etc/sudoers) but something breaks and then I can't get into /etc/sudoers, not even with the ubuntu user.

Finally, I tried looking at the groups that ubuntu is a member of and noticed that it is a member of adm which I assume is admin, and I [blindly] added all the user accounts to that group but that did not work either.

I have two questions, which are really the same question

How is it that Ubuntu can call sudo without a password and where is this specified?
How can I extend this same privilege to other users but in an automated fashion?

Your cat | sed | tee combination is usesless use of cat and sed. You can simply use sed -i '...' /etc/sudoers. — pLumo, May 03 '21 at 17:56
@pLumo thanks, I updated the command. I still don't get the intended results — francistheturd, May 03 '21 at 18:12

marosg · Accepted Answer · 2021-05-03T18:34:25.610

multipass supports cloud-init and with it you can do all those things automatically without any script.

multipass launch --cloud-init <file> ...

And in cloudinit file you can specify all users to be created and you can give them passwordless sudo.

It would look like this

package_update: true
package_upgrade: true
packages:
  - ...
users:
  - name: ubuntu
    sudo: ALL=(ALL) NOPASSWD:ALL
    home: /home/ubuntu
    shell: /bin/bash
    groups: [adm, audio, cdrom, dialout, floppy, video, plugdev, dip, netdev, libvirtd]
    lock_passwd: True
    gecos: Ubuntu

Have a look at cloudinit documentation for details.

[Edit - adding tested example]

package_update: true
package_upgrade: true
packages:
users:
  - name: user1
    shell: /bin/bash
    sudo: ALL=(ALL) NOPASSWD:ALL
    ssh_authorized_keys:
      - ssh-rsa ...
  - name: user2
    shell: /bin/bash
    sudo: ALL=(ALL) NOPASSWD:ALL
    ssh_authorized_keys:
      - ssh-rsa ...

$ multipass launch --cloud-init cloudinit.yaml 
Launched: great-dalmatian

$ ssh user1@10.88.17.191
...
user1@great-dalmatian:~$ id
uid=1000(user1) gid=1000(user1) groups=1000(user1)
user1@great-dalmatian:~$ sudo id
uid=0(root) gid=0(root) groups=0(root)

$ ssh user2@10.88.17.191 "id; sudo id"
uid=1001(user2) gid=1001(user2) groups=1001(user2)
uid=0(root) gid=0(root) groups=0(root)

Thanks, for some reason I thought CloudInit was some cloud service like AWS — francistheturd, May 03 '21 at 18:33

How to give passwordless sudo through automated script

1 Answers1