How to run sudo command with no password?

Question

How does the ubuntu user on the AWS images for Ubuntu Server 12.04 have passwordless sudo for all commands when there is no configuration for it in /etc/sudoers?

I'm using Ubuntu server 12.04 on Amazon. I want to add a new user that has the same behavior as the default Ubuntu user. Specifically I want passwordless sudo for this new user.

So I've added a new user and went to edit /etc/sudoers (using visudo of course). From reading that file it seemed like the default ubuntu user was getting it's passwordless sudo from being a member of the admin group. So I added my new user to that. Which didn't work. Then I tried adding the NOPASSWD directive to sudoers. Which also didn't work.

Anyway, now I'm just curious. How does the ubuntu user get passwordless privileges if they aren't defined in /etc/sudoers. What is the mechanism that allows this?

Related: Execute sudo without Password? – Eliah Kagan Jul 26 '17 at 07:12 — Eliah Kagan, Jul 26 '17 at 07:12

aychedee · Accepted Answer · 2014-01-07T10:01:46.150

393

Okay, I have discovered the answer so may as well put it here for completeness. At the end of /etc/sudoers there is what I thought was just a comment:

#includedir /etc/sudoers.d

However this actually includes the contents of that directory. Inside of which is the file /etc/sudoers.d/90-cloudimg-ubuntu. Which has the expected contents

# ubuntu user is default user in cloud-images.
# It needs passwordless sudo functionality.
ubuntu ALL=(ALL) NOPASSWD:ALL

So that is where the sudo configuration for the default ubuntu user lives.

You should edit this file using visudo. The following command will let you edit the correct file with visudo.

sudo visudo -f /etc/sudoers.d/90-cloudimg-ubuntu

And add a line like:

aychedee ALL=(ALL) NOPASSWD:ALL

At the end.

edited Jan 07 '14 at 10:01

answered Sep 23 '12 at 10:27

aychedee

8,207

I am currently struggling with /etc/sudoers on ubuntu-12.04 (desk x86_64). After altering /etc/sudoers or /etc/sudoers.d/*, do I need to reboot, logout or sudo restart any daemon? – m-ric Feb 14 '13 at 16:11
6

I'm pretty sure I had to do a full reboot. – aychedee Feb 14 '13 at 20:40
2

new sudo rules will be used for every new logged user - so you need re login at least – bluszcz Feb 27 '13 at 10:17
40

'sudo service sudo restart' works :) – Laice Jun 11 '13 at 02:23
7

In later versions (14.04 for example) the included file is /etc/sudoers.d/90-cloud-init-users (so to edit.. sudo visudo -f /etc/sudoers.d/90-cloud-init-users). Although it'd be cleaner to create additional files than editing the generated one. Note that files containing a . or ending in ~ will not be included. – Molomby Aug 27 '15 at 05:29
1

IMHO that should be changed. #include is something that could really throw someone off. This case is a perfect example. How about @Include instead? – user447607 Jan 12 '16 at 15:37
2

This is a great spot. I always wondered how the ubuntu user could sudo -i without a password and without the NOPASSWD part in /etc/sudoers I thought I was going crazy or something. # at the start of a line in a config file which isn't a comment is flagrant abuse of common standards. – Phil_1984_ Oct 16 '16 at 01:14
3

@Phil_1984_ Most likely, it was added as a comment to allow compatibility with other (standard?) versions of sudo, which don't allow includes, but wouldn't be tripped up by a weird comment. (Standards are hard! ;-) – jpaugh Nov 23 '16 at 14:39
1

because who has a time to man sudoers 5 to check #includedir directive – fa wildchild Jan 29 '19 at 02:03
Nothing works for me. ec2 instance. I added file in sudoers.d, I added my user in visudo with ALL=(ALL) NOPASSWD:ALL, I added my user to wheel group and I commented out the wheel so all members have passwordless sudo. Nothing at all worked. And I don't even have sudo service. It's not in systemctl either. – Vasiliki Mar 05 '20 at 12:30
Might be worth noting that #includedir /etc/sudoers.d is not commented out. In other words, do not remove the #, the # must be there for the /etc/sudoers file to be valid. – Alex Fortin Mar 27 '21 at 18:13
Just to clarify, do not add aychedee on that line, add YOUR username. – Raleigh L. Jan 07 '24 at 20:59
If you are in server environment like me & cannot restart, wait for 15 minutes to get effect. Apparently there is a timeout. – Tamil Vendhan Kanagarasu Mar 21 '24 at 02:03

jiminikiz · Answer 2 · 2020-08-17T20:22:40.887

I found that the most straight forward thing to do, in order to easily replicate this behavior across multiple servers, was the following:

sudo visudo

Change this line:

# Members of the admin group may gain root privileges
%admin  ALL=(ALL) ALL

to this line:

# Members of the admin group may gain root privileges
%admin  ALL=(ALL) NOPASSWD:ALL

And move it under this line:

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

you should now have this:

# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
Host alias specification
User alias specification
Cmnd alias specification
User privilege specification
root    ALL=(ALL:ALL) ALL
Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL
Members of the admin group may gain root privileges
%admin  ALL=(ALL) NOPASSWD:ALL
See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d

then for every user that needs sudo access WITH a password:

sudo adduser <user> sudo

and for every user that needs sudo access WITH NO password:

sudo adduser <user> admin

(on older versions of ubuntu, you may need to):

sudo service sudo restart

And that's it!

Edit: You may have to add the admin group as I don't think it exists by default.

sudo groupadd admin

You can also add the default AWS ubuntu user to the admin group via this command:

sudo usermod ubuntu -g admin

Note: As @hata mentioned, you may need to use adm as your admin group name, depending on which version of Ubuntu is being used.

Note to self: It's a convention to move less restrictive permissions lower in the stack. But not doing it won't affect functionality. — poweratom, Sep 05 '14 at 09:47
As jiminikiz explained, I had to place the %admin after the %sudo on my Ubuntu GNOME 16.04 LTS. Plus, the administrators group id is exactly not admin but adm on my Ubuntu. No reboot was required. — hata, Oct 26 '17 at 10:52
by the way use sudo apt purge nano if you want to default to vi on your system. — chovy, May 27 '22 at 23:42

score 9 · Answer 3 · answered Apr 03 '19 at 13:50

I would create my own file under /etc/sudoers.d/ directory - the file created by Amazon Cloud might be overwritten in case of any update. After creating your file in /etc/sudoers.d, add this entry,

<your user name> ALL=(ALL) NOPASSWD:ALL

Reboot the system and this will work.

score 7 · Answer 4 · edited Jan 02 '18 at 21:24

7

Short answer without using any editor (tested on bash, very risky to execute on remote hosts).

Configure sudo to work without a password for the current user:

echo "$USER ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers

Check the edit with:

sudo visudo -c

Verify if you can use sudo without a password:

sudo cat /etc/sudoers | grep "$USER"

...or simply try it with:

sudo <anything>

edited Jan 02 '18 at 21:24

David Eison

103

answered Aug 13 '14 at 22:25

user315445

127

21

This is pretty dangerous advice... copy and paste this wrong and you'll lock yourself out of your own server. Hence the advice to use visudo. It checks that the syntax is correct before saving to disk. So, for anyone that wants to use this. Don't do it on a remote server that you care about. You might want to include a warning about that in your answer. – aychedee Aug 14 '14 at 09:25
11

Not using visudo is a horrible idea. Trust me, I know. – le3th4x0rbot Sep 09 '15 at 17:22
1

IMHO, a copy-paste is safer than a manual edit. A minor simplification: echo "$USER ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers – theartofrain Apr 05 '16 at 23:56
4

@theartofrain - Normally, I'd agree, but visudo is particularly nice about not allowing you to break the sudoers file, thus not locking you out of your machine (or at least sudo). – Jon V Mar 15 '17 at 02:43
3

@JonV You can lose admin rights via visudo too, but usually not by accident, because visudo only saves changes that are well-formed according to the grammar for sudoers files. Most mistakes are syntactically wrong, so they cause no harm with visudo. If /etc/sudoers or a file in /etc/sudoers.d is ill-formed, sudo refuses to elevate privileges for anyone as a security measure, which is why not using visudo is dangerous. (Though sometimes pkexec can fix it without a reboot.) – Eliah Kagan Sep 28 '17 at 12:29

Seth Bergman · Answer 5 · 2020-02-24T14:09:40.440

As I was researching this, I realized that there's a line in the /etc/sudoers file that is not a comment, but a directive that makes any file or folder under the directory /etc/sudoers/* override the contents of /etc/sudoers.

This is a sneaky little directive, as it appears to be a commented line upon first glance. It looks like this:

#includedir /etc/sudoers.d

This is how I've implemented the non-root, passwordless user in an ephemeral Docker Image for use in a CICD pipeline with the base image of ubuntu:18.04:

RUN \
  useradd -U foo -m -s /bin/bash -p foo -G sudo && passwd -d foo && passwd -d root && \
  sed -i /etc/sudoers -re 's/^%sudo.*/%sudo ALL=(ALL:ALL) NOPASSWD: ALL/g' && \
  sed -i /etc/sudoers -re 's/^root.*/root ALL=(ALL:ALL) NOPASSWD: ALL/g' && \
  sed -i /etc/sudoers -re 's/^#includedir.*/## Removed the #include directive! ##"/g' && \
  echo "Customized the sudoers file for passwordless access!" && \
  echo "foo ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers && \
  echo "root ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers && \
  echo "foo user:";  su foo -c 'whoami && id' && \
  echo "root user:"; su root -c 'whoami && id'

What happens with the above code:

The user and group foo is created.
The user foo is added to the both the foo and sudo group.
The home directory is set to /home/foo.
The shell is set to /bin/bash.
The passwords for both foo and root are deleted.
The sed command does inline updates to the /etc/sudoers file to allow foo and root users passwordless access to the sudo command.
The sed command disables the #includedir directive that would allow any files in subdirectories to override these inline updates.

wild_dove22 · Answer 6 · 2023-05-01T20:53:14.000

0

In case you want to remove password

sudo passwd -d user

check more info about passwd command with passwd -h on ubuntu

edit: passwd command varies from system to system. for eg the -d flag is on ubuntu systems but not on macbooks

edited May 01 '23 at 20:53

answered May 01 '23 at 00:40

wild_dove22

1

1

Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers in the help center. – Community May 01 '23 at 06:09

score 0 · Answer 7 · answered Jan 07 '24 at 21:02

For some reason every answer here seems way longer than it should be or is unnecessarily complex.

Here's the fool-proof way to do it:

Run:

$ echo "$USER ALL=(ALL) NOPASSWD:ALL"

Copy the output of that.

Then run:

$ sudo visudo

Paste the line you copied in the previous step, at the bottom of this file.

How to run sudo command with no password?

7 Answers7

Host alias specification

User alias specification

Cmnd alias specification

User privilege specification

Allow members of group sudo to execute any command

Members of the admin group may gain root privileges

See sudoers(5) for more information on "#include" directives:

Linked

Related