236

Preface

This is a fairly complex question related to the sudoers file and the sudo command in general.

NOTE: I have made these changes on a dedicated machine running Ubuntu Desktop 13.04, that I use purely for learning purposes. I understand it's a huge security risk to enable NOPASSWD sudo.

Question

Initially, my only change to the sudoers file (/etc/sudoers) was one line, a user specification that should have enabled nicholsonjf to run all commands with sudo without having to enter a password (see the line that starts with nicholsonjf):

# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

Host alias specification


User alias specification


Cmnd alias specification


User privilege specification


root    ALL=(ALL:ALL) ALL
nicholsonjf    ALL=NOPASSWD: ALL


Members of the admin group may gain root privileges


%admin ALL=(ALL) ALL


Allow members of group sudo to execute any command


%sudo   ALL=(ALL:ALL) ALL


See sudoers(5) for more information on "#include" directives:


#includedir /etc/sudoers.d

However this did not work, and I was still prompted for my password every time I ran a command as nicholsonjf. I was only able to start running sudo commands as nicholsonjf once I removed nicholsonjf from the sudo and admin groups.

Can anyone explain why this worked?

Is it because the user nicholsonjf was inheriting sudo rights from the two group specifications of admin and sudo (seen below in the sudoers file), which were overriding the nicholsonjf user specification because they were further down in the config file?

karel
  • 114,770
nicholsonjf
  • 2,551
  • 2
  • 15
  • 8

7 Answers7

303

The line you added was overridden. From man sudoers:

When multiple entries match for a user, they are applied in order. Where there are multiple matches, the last match is used (which is not necessarily the most specific match).

In your case nicholsonjf was a member of the group sudo so for him this line applied:

%sudo   ALL=(ALL:ALL) ALL

If you want to override entries in /etc/sudoers just put the new entries after them.

The new entry should look like

myuser ALL=(ALL) NOPASSWD: ALL for a single user, or

%sudo ALL=(ALL) NOPASSWD: ALL for a group.

pabouk - Ukraine stay strong
  • 4,413
  • 8
    For a complete solution I would like to see something about NOPASSWD in this answer... – Daniel Alder Dec 05 '14 at 15:08
  • 34
    I think, the solution should be: %sudo ALL=(ALL) NOPASSWD:ALL – Daniel Alder Dec 08 '14 at 09:20
  • 5
    @DanielAlder: The specification line from the question nicholsonjf ALL=NOPASSWD: ALL is correct. It was just at a wrong place as I explained in the answer. ------ The Runas specification — in your case (ALL) — is optional. If you omit the specification you can run the commands as root and you cannot use -u and -g options of sudo. – pabouk - Ukraine stay strong Dec 09 '14 at 08:12
  • This is a worse security risk as it gives multiple users passwordless access. If it's your personal PC then that's not significant - perhaps. I'd just move the personal line, to last. – Mark Williams Dec 09 '14 at 08:15
  • 9
    An addition, rather than correction, if using something debian/ubuntu based (may be generally applied, not seen it elsewhere) Your absolute best-practice bet is to add custom commands to a file in /etc/sudoers.d/ and leave sudoers itself to be managed by the package manager. – Aquarion Nov 10 '15 at 12:02
153

For a single user, add this line at the end of your sudoers file using the sudo visudo command:

superuser ALL=(ALL) NOPASSWD:ALL

For a group

%supergroup  ALL=(ALL) NOPASSWD:ALL
Fedir RYKHTIK
  • 1,793
  • 9
    Before I read this answer I did %sudo ALL=NOPASSWD: ALL and it works. Am I the only one who finds Extended Backus-Naur Form really hard to understand? – Vince Jan 22 '16 at 00:01
  • 4
    @Vince When used your command I can't sudo without password as user without sudo privileges. E.g. sudo -u root -i works, but sudo -u git -i doesn't. – Tom Raganowicz Dec 04 '16 at 10:28
56

Run this command to never prompt the current user for a password when that user uses sudo:

echo "$USER ALL=(ALL:ALL) NOPASSWD: ALL" | sudo tee "/etc/sudoers.d/dont-prompt-$USER-for-sudo-password"

It creates a file called /etc/sudoers.d/dont-prompt-<YOUR USERNAME>-for-sudo-password with the following contents:

<YOUR USERNAME> ALL=(ALL:ALL) NOPASSWD: ALL

This works because Debian's and Ubuntu's default /etc/sudoers file has this line

#includedir /etc/sudoers.d

which makes it process files in the /etc/sudoers.d/ directory. If the command above didn't work, check that no one has removed that line from your /etc/sudoers file.

  • I like the shortcut working for the current user – cljk Sep 25 '20 at 06:56
  • 1
    This is only way that worked here in Mint. – dawid Feb 07 '21 at 14:07
  • This is actually "the" correct answer. Thanks! – Marco Massenzio Apr 24 '22 at 05:05
  • 1
    @MarcoMassenzio you're welcome, yea I felt like I was going a little crazy when I stumbled upon that directory and as I was writing this up because I'd been coming to this question every time I installed Ubuntu, everyone needs to do it, this is clearly the best way to do it over manually editing a file every time, it's been supported since the 90's and I've never seen anybody mention it anywhere else on the internet. –  Apr 24 '22 at 05:15
2

As I was researching this, I realized that there's a line in the /etc/sudoers file that is not a comment, but a directive that makes any file or folder under the directory /etc/sudoers/* override the contents of /etc/sudoers.

This is a sneaky little directive, as it appears to be a commented line upon first glance. It looks like this:

#includedir /etc/sudoers.d

This is how I've implemented the non-root, passwordless user in an ephemeral Docker Image for use in a CICD pipeline with the base image of ubuntu:18.04:

RUN \
  useradd -U foo -m -s /bin/bash -p foo -G sudo && passwd -d foo && passwd -d root && \
  sed -i /etc/sudoers -re 's/^%sudo.*/%sudo ALL=(ALL:ALL) NOPASSWD: ALL/g' && \
  sed -i /etc/sudoers -re 's/^root.*/root ALL=(ALL:ALL) NOPASSWD: ALL/g' && \
  sed -i /etc/sudoers -re 's/^#includedir.*/## Removed the #include directive! ##"/g' && \
  echo "Customized the sudoers file for passwordless access!" && \
  echo "foo ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers && \
  echo "root ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers && \
  echo "foo user:";  su foo -c 'whoami && id' && \
  echo "root user:"; su root -c 'whoami && id'

What happens with the above code:

  • The user and group foo is created.
  • The user foo is added to the both the foo and sudo group.
  • The home directory is set to /home/foo.
  • The shell is set to /bin/bash.
  • The sed command does inline updates to the /etc/sudoers file to allow foo and root users passwordless access to the sudo group.
  • The sed command disables the #includedir directive that would allow any files in subdirectories to override these inline updates.
Seth Bergman
  • 336
  • 1
    You don't need to remove the directive if you don't have any files in that directory. –  Jan 04 '22 at 19:58
  • 1
    Thank you for the comment. The reason I've "disabled" this directive in the above snippet is to make certain the script works. Great callout though for those unaware – Seth Bergman Feb 02 '22 at 17:23
2

As Vince has mentioned in a comment, you can use this line:

%sudo ALL=NOPASSWD: ALL

(This is different from the lines shown in those answers, and it solved the problem for me.)

Eliah Kagan
  • 117,780
E. Fortes
  • 137
  • 1
    @Eliah this is not that different from the other answers. All it does is replace the placeholder supergroup in Fedir's answer with sudo. What next, another user for the group wheel? Or any other group the user happens to be using? – muru Oct 04 '17 at 11:19
  • 1
    @muru "All it does is replace the placeholder supergroup in Fedir's answer with sudo." *What?* Replacing supergroup with sudo in the line %supergroup ALL=(ALL) NOPASSWD:ALL yields %sudo ALL=(ALL) NOPASSWD:ALL, not %sudo ALL=NOPASSWD: ALL. – Eliah Kagan Oct 04 '17 at 11:21
  • Which is arguably worse, since now NOPASSWD is only for root as the target user. So, it doesn't even answer the question correctly! – muru Oct 04 '17 at 11:26
  • @muru What is is not even arguably, however, is a substitution of supergroup with sudo. This is its own answer, not a thanks post or a copy of another answer. But yes, I agree: unless they intend that, this will not be as good for most users as the methods in the other answers. (But, especially considering the question says "all commands," not "all target users," I don't think this is in effect not even attempting to answer the question that was asked.) – Eliah Kagan Oct 04 '17 at 11:34
  • 1
    This worked for me and I wanted to share with other users :) (remove my comment if desired). – E. Fortes Oct 05 '17 at 13:44
0

One can insert a string in one line without EOF formatting at end of sudoers file or remove with sed -i:

cat >> /etc/sudoers <<<'PaSe ALL=(ALL:ALL) NOPASSWD:ALL'

Reference: https://stackoverflow.com/questions/41298208/how-to-append-a-line-at-the-end-of-etc-sudoers-file-using-shell-script-without/70039824#70039824

PaSe
  • 29
  • 1
0

To give explicit permission for each command you want allow, (extending the answer of user677955)

Example to bypass passwdord prompt for sudo apt [...] in bash:

echo "$USER ALL=(ALL:ALL) NOPASSWD:$(which apt)" \
| sudo tee -a "/etc/sudoers.d/dont-prompt-$USER-for-sudo-password"

Example to bypass password prompt for sudo service [...] in fish:

echo "$USER ALL=(ALL:ALL) NOPASSWD:"(which service) \
| sudo tee -a "/etc/sudoers.d/dont-prompt-$USER-for-sudo-password"
Wen Zul
  • 1