Sudoers file, enable NOPASSWD for user, all commands

1

Preface

This is a fairly complex question related to the Sudoers file and the sudo command in general.

NOTE: I have made these changes on a dedicated machine running Ubuntu Desktop 13.04, that I use purely for learning purposes. I understand it's a huge security risk to enable NOPASSWD sudo.

Question

Initially, my only change to the sudoers file (/etc/sudoers) was one line, a user specification that should have enabled 'nicholsonjf' to run all commands with sudo without having to enter a password (see the line that starts with 'nicholsonjf'):

# This file MUST be edited with the 'visudo' command as root. # # Please consider adding local content in /etc/sudoers.d/ instead of # directly modifying this file. # # See the man page for details on how to write a sudoers file. # Defaults env_reset Defaults mail_badpass Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" # Host alias specification # User alias...
0 0
2
Related to : [SOLVED] nopasswd in /etc/sudoers[SOLVED] Editing sudoers Linux Hi all - Relatively new to Linux, but I'm trying to grasp the proper way to modify the sudoers file. As an example, what would I have to modify in /etc/sudoers to allow a user (say 'user1' for the example) to be able to add/remove software through yum? I'm aware of the fact that I need to use visudo and how to use the vi editor.
I've Googled this topic and while I've found a number of pages on the topic, I never see many examples.
Thanks in advance!
[SOLVED] /etc/sudoers help Linux I'd like to setup a particular user with the ability to run all the scripts in a particular directory (which require sudo) without being prompted for their password. To test this I first attempted to setup this user to be able to run ANY sudo command without being prompted. Here's what I did:
sudo visudo -f /etc/sudoers
then, under the below comment, I added this line
# User privilege specification
...
0 0
3

Are there any risks for letting the beyond password to be used with no password?

It is a home computer, with no other users using it, I only use the single default created user when Ubuntu was installed.

I would like to don't have to write at all the sudo password for these commands:

echo 100 > /sys/class/backlight/intel_backlight/brightness ethtool -s eth0 autoneg off speed 100 duplex full dhclient eth0 apt-get update && upgrade && dist-upgrade -y apt-get autoremove && remove && clean && autoclean -y

Thank you.

ANSWER: It seams that these steps resolved this case:

sudo su

Create /usr/local/bin/scriptname and write the beyond lines in it:

#!/bin/bash command in here without sudo # the end of the script's name

_

Create /etc/sudoers.d/scriptname and write the following lines in it: User_Alias scriptname=username Cmnd_Alias scriptabreviaton=/home/globalisation/r scriptname ALL=NOPASSWD: scriptabreviaton

Add at the end of /etc/sudoers...

0 0
4

If you are using sudo you most certainly know that the default setup will require the user running sudo to enter a password (by default the password of the user running sudo). I will show you in this post what options sudo offers related to passwords and how they can be used.

Defaults

If you have an entry in your sudoers file that contains something like this:

admin ALL=(ALL) ALL

then sudo will require you to enter a password when running a command with sudo. This is the user password (and not the root password), in this case the password of the user “admin”.

targetpw

If for some reason you want to change this behavior, then you can use the sudo global flag targetpw. This is by default OFF, and if you set it like show bellow then the password you will be asked while running sudo will be the password of the target user (in our case the root password).

Defaults targetpw

Personally, I don’t see the use of this parameter and never used it...

0 0
5

@Injo Ouch ! For me, you’ve found a little bug in Antergos, congrats .

Can confirm that freshly installed Antergos behaves as you describe. Continues to ask for password when it should not do that anymore.

I solved the issue here by removing the file

/etc/sudoers.d/10-installer

It contains (for my user):

just ALL=(ALL) ALL

These are sudo settings to ask for password when a command is prefixed with sudo.

The file’s content doesn’t change even if /etc/sudoers is edited with

sudo visudo

Without /etc/sudoers.d/10-installer file, sudo visudo returns the expected results:

The native Arch Linux installations here don’t have the /etc/sudoers.d/10-installer file. The /etc/sudoers.d/ folder is...

0 0
6

Introduction

Privilege separation is one of the fundamental security paradigms implemented in Linux and Unix-like operating systems. Regular users operate with limited privileges in order to reduce the scope of their influence to their own environment, and not the wider operating system.

A special user, called root, has "super-user" privileges. This is an administrative account without the restrictions that are present on normal users. Users can execute commands with "super-user" or "root" privileges in a number of different ways.

In this article, we will discuss how to correctly and securely obtain root privileges, with a special focus on editing the /etc/sudoers file.

We will be completing these steps on an Ubuntu 16.04 server, but most modern Linux distributions should operate in a similar manner.

This guide assumes that you have already completed the initial server setup discussed here. Log into your server as regular, non-root user and...

0 0
7

We can configure who can use the sudo command and how. You may have noticed that the Vagrant user on your development server can use sudo without a password. Similarly, AWS servers allow the same thing. Find out how that's done, and much more!We'll configure who can use "sudo" and how.

Visudo

We can configure who can use sudo commands by editing the /etc/sudoers file, or by adding configuration to the /etc/sudoers.d directory.

To edit the sudoers file, we should always use the visudo command.

This uses your default editor to edit the sudoers configuration.

You can decide which editor to use to edit sudoers in a quick one liner:

sudo EDITOR=vim visudo

In general, you can set your editor via the EDITOR and/or VISUAL environment variables.

sudo export VISUAL=nano sudo export EDITOR=nano sudo update-alternatives --set editor /usr/bin/nano # Try this to set a new editor globally sudo update-alternatives --set editor...
0 0
8

Feedback

I have tried the above in an Ubuntu OS. It does not work and even with many other variations made to the sudoers file, I am always asked for a password when I execute sudo command.

Which version of Ubuntu are you using? It flawlessly works from at least 7.04.

8.0x Server Version I will try your fix again on Friday. thanks

I overlooked the fact that it must be at the end of the file. In my version, the last line of code gives all users in the admin group root access but with a password required. If your line precedes this, then the effects are undone by the last line of code because my user login is also a member (unintentional) of admin.

Hi, i tried previous command and it works. I have Ubuntu Jaunty 9.04 alpha 6

hai its working fine in Kubuntu 8.04 sudo visudo jaleel ALL=NOPASSWD: ALL save and reboot thanks a lot saitjaleel@yahoo.com

'ya dont need to reboot..

%sudo...

0 0
9
sudoers - /etc/sudoers config file for sudo sudoers - list of which users may execute what

The sudoers file contains : aliases (basically variables) and user specifications (which specify who may run what).

Aliases

Alias ::= 'User_Alias' User_Alias (':' User_Alias)* | 'Runas_Alias' Runas_Alias (':' Runas_Alias)* | 'Host_Alias' Host_Alias (':' Host_Alias)* | 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)* User_Alias ::= NAME '=' User_List Runas_Alias ::= NAME '=' Runas_List Host_Alias ::= NAME '=' Host_List Cmnd_Alias ::= NAME '=' Cmnd_List NAME ::= [A-Z]([A-Z][0-9]_)* Each alias definition is of the form Alias_Type NAME = item1, item2, ... where Alias_Type is one of User_Alias, Runas_Alias, Host_Alias, or Cmnd_Alias.
A NAMEs a string of uppercase letters, numbers, and underscore characters ('_').
A NAME must start with an uppercase letter. It is possible to put several alias definitions...
0 0
10

I've been trying to grant www-data to use sudo service apache2 restart without a password but no matter what I try, nothing works. I have read a few hundred posts regarding this issue on different forums but nothing in them helps.

I know that the permissions are added in order, so the specific command should go at the end of the list. Here is my file:

# # This file MUST be edited with the 'visudo' command as root. # # Please consider adding local content in /etc/sudoers.d/ instead of # directly modifying this file. # # See the man page for details on how to write a sudoers file. # Defaults env_reset Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" # Host alias specification # User alias specification # Cmnd alias specification # User privilege specification root ALL=(ALL) ALL # Members of the admin group may gain root privileges %admin ALL=(ALL) ALL # Allow members of group sudo to execute any command %sudo ALL=(ALL) ALL # See...
0 0
11
...
0 0
12

I have server A and server B (both Ubuntu 10.04 LTS) doing different tasks. Server A needs to poke Server B, which generates a file and scp's it back to server A when done. This is all in-house and I am not too concerned about security issues. SSH Key exchange is already performed between servers A and B and works fine.

On server B, the script generateOfflineSig looks like

#!/bin/bash echo "in script" sudo apt-offline set offline_package.sig --install-packages "$0" echo "after sudo" scp offline_package.sig jeff@servera:/tmp

Also on server B, visudo has this entry:

jeff ALL=NOPASSWD: ALL

Which works if I execute sudo ls on Server B... no password asked.

Unfortunately SSH always asks for a password on Server A:

jeff@servera:~$ ssh -t jeff@serverb /home/jeff/generateOfflineSig "incron" in script [sudo] password for jeff:

Any ideas? This process can't be interrupted by password...

0 0