52

On 14.04 here. I SSHed into my machine, added the following line to /etc/sudoers:

myuser   ALL=NOPASSWD: ALL

And then tried running:

sudo mkdir /etc/blah

...and I'm being asked for my password. Why?!?

I do not want to be asked for my password when doing this operation. Please note that when I run ls -ltr / I get:

drwxr-xr-x 94 root root  4096 Jul 30 13:28 etc

But I don't think this matters because I've set myself up as a "sudoer", right?

More importantly, what do I need to do so that I can run sudo mkdir /etc/blah as my current user (myuser) without being asked for the password?

Here's my entire /etc/sudoers file:

#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root      ALL=(ALL:ALL) ALL
fizzbuzz  ALL=NOPASSWD: ALL
chadmin   ALL=NOPASSWD: ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d
Zac
  • 623

4 Answers4

85

It is the sequence/ordering of the rules that caused this. The last rule takes preference.

In order to fix your problem, simply move your lines,

fizzbuzz  ALL=NOPASSWD: ALL
chadmin   ALL=NOPASSWD: ALL

from the sudoers file to 

sudo visudo -f /etc/sudoers.d/myOverrides

This is better approach than editing the sudoers file with a plain text editor. If you accidentally insert errors into the file, you may not longer be able to run sudo. Always use visudo, so that the syntax is checked and you receive warnings about mistakes!

Your directive doesn't work because it is overridden by:

%admin ALL=(ALL) ALL
%sudo   ALL=(ALL:ALL) ALL

If you run the groups command you should see that your user belongs to these groups.

David Foerster
  • 36,264
  • 56
  • 94
  • 147
Lety
  • 6,039
  • 2
  • 29
  • 37
  • The file's name should follow a convention of nn-somename, for example /etc/sudoers.d/20-myoverrides – shimatai Nov 03 '19 at 00:45
  • Yes, of course, if you have more than one file, these are parsed in sorted lexical order, so it is a good practice to use a number and it will be easy to know that order. – Lety Nov 04 '19 at 12:58
26

If myuser is in the sudo group, then this order of the lines won't provide passwordless access (as noted by Florian Diesch), because the 3rd line overrides the 1st one.

myuser    ALL=(www-data:www-data) NOPASSWD: ALL
# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

So just put the lines into this order:

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL
myuser    ALL=(www-data:www-data) NOPASSWD: ALL

Under myuser account use sudo -l to check what permissions myuser has.

Organic Marble
  • 23,641
  • 15
  • 70
  • 122
Kostyantyn
  • 576
  • 5
  • 11
12

If multiple entries match for a user the last one is used. So if fizzbuzz and chadmin are members of the groups admin or sudo they will be still asked for a password.

Put the two lines at the end of the sudoers file after the #includedir line.

Florian Diesch
  • 87,389
  • Indeed, so a combination of @Letizia's and your answers is the best, since the #includedir is the last entry in sudoers by default. – muru Jul 30 '14 at 18:00
1

Ideally if you are customizing what commands can be run via sudo you should be making these changes in a separate file under /etc/sudoers.d/ instead of editing the sudoers file directly. You should also always use visudo to edit the file(s). You should NEVER grant NOPASSWD on ALL commands.

Example: sudo visudo -f /etc/sudoers.d/mynotriskycommand

Insert your line granting permission: myuser ALL= NOPASSWD: /bin/mkdir

Then save and exit and visudo will warn you if you have any syntax errors.

You can run sudo -l to see the permissions that your user has been granted, if any of the user specific NOPASSWD commands appear BEFORE any %groupyouarein ALL=(ALL) ALL command in the output you will be prompted for your password.

If you find yourself creating lots of these sudoers.d files then perhaps you will want to create them named per user so they are easier to visualize. Keep in mind that the ordering of the FILE NAMES and of the RULES within the file is very important, the LAST one loaded wins, whether it is MORE or LESS permissive than the previous entries.

You can control the file name ordering by using a prefix of 00-99 or aa/bb/cc, though also keep in mind that if you have ANY files that don't have numeric prefix, they will load after the numbered files, overriding the settings. This is because depending on your language settings the "lexical sorting" the shell uses sorts numbers first and then may interleave upper and lowercase when sorting in "ascending" order.

Try running printf '%s\n' {{0..99},{A-Z},{a-z}} | sort and printf '%s\n' {{0..99},{A-Z},{a-z}} | LANG=C sort to see whether your current language prints AaBbCc etc or ABC then abc to determine what the best "last" letter prefix to use would be.

dragon788
  • 1,556