Adding NOPASSWD in /etc/sudoers doesn't work
Solution 1
It is the sequence/ordering of the rules that caused this. The last rule takes preference.
In order to fix your problem, simply move your lines,
fizzbuzz ALL=NOPASSWD: ALL
chadmin ALL=NOPASSWD: ALL
from the sudoers file to
sudo visudo -f /etc/sudoers.d/myOverrides
This is better approach than editing the sudoers file with a plain text editor. If you accidentally insert errors into the file, you may not longer be able to run sudo. Always use visudo, so that the syntax is checked and you receive warnings about mistakes!
Your directive doesn't work because it is overridden by:
%admin ALL=(ALL) ALL
%sudo ALL=(ALL:ALL) ALL
If you run the groups command you should see that your user belongs to these groups.
Solution 2
If myuser is in the sudo group, then this order of the lines won't provide passwordless access (as noted by Florian Diesch), because the 3rd line overrides the 1st one.
myuser ALL=(www-data:www-data) NOPASSWD: ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
So just put the lines into this order:
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
myuser ALL=(www-data:www-data) NOPASSWD: ALL
Under myuser account use sudo -l to check what permissions myuser has.
Solution 3
If multiple entries match for a user the last one is used. So if fizzbuzz and chadmin are members of the groups admin or sudo they will be still asked for a password.
Put the two lines at the end of the sudoers file after the #includedir line.
Solution 4
Ideally if you are customizing what commands can be run via sudo you should be making these changes in a separate file under /etc/sudoers.d/ instead of editing the sudoers file directly. You should also always use visudo to edit the file(s). You should NEVER grant NOPASSWD on ALL commands.
Example:
sudo visudo -f /etc/sudoers.d/mynotriskycommand
Insert your line granting permission:
myuser ALL= NOPASSWD: /bin/mkdir
Then save and exit and visudo will warn you if you have any syntax errors.
You can run sudo -l to see the permissions that your user has been granted, if any of the user specific NOPASSWD commands appear BEFORE any %groupyouarein ALL=(ALL) ALL command in the output you will be prompted for your password.
If you find yourself creating lots of these sudoers.d files then perhaps you will want to create them named per user so they are easier to visualize. Keep in mind that the ordering of the FILE NAMES and of the RULES within the file is very important, the LAST one loaded wins, whether it is MORE or LESS permissive than the previous entries.
You can control the file name ordering by using a prefix of 00-99 or aa/bb/cc, though also keep in mind that if you have ANY files that don't have numeric prefix, they will load after the numbered files, overriding the settings. This is because depending on your language settings the "lexical sorting" the shell uses sorts numbers first and then may interleave upper and lowercase when sorting in "ascending" order.
Try running printf '%s\n' {{0..99},{A-Z},{a-z}} | sort and printf '%s\n' {{0..99},{A-Z},{a-z}} | LANG=C sort to see whether your current language prints AaBbCc etc or ABC then abc to determine what the best "last" letter prefix to use would be.
Zac
Updated on September 18, 2022Comments
-
Zac over 1 year
On 14.04 here. I SSHed into my machine, added the following line to
/etc/sudoers:myuser ALL=NOPASSWD: ALLAnd then tried running:
sudo mkdir /etc/blah...and I'm being asked for my password. Why?!?
I do not want to be asked for my password when doing this operation. Please note that when I run
ls -ltr /I get:drwxr-xr-x 94 root root 4096 Jul 30 13:28 etcBut I don't think this matters because I've set myself up as a "sudoer", right?
More importantly, what do I need to do so that I can run
sudo mkdir /etc/blahas my current user (myuser) without being asked for the password?Here's my entire
/etc/sudoersfile:# # This file MUST be edited with the 'visudo' command as root. # # Please consider adding local content in /etc/sudoers.d/ instead of # directly modifying this file. # # See the man page for details on how to write a sudoers file. # Defaults env_reset Defaults mail_badpass Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" # Host alias specification # User alias specification # Cmnd alias specification # User privilege specification root ALL=(ALL:ALL) ALL fizzbuzz ALL=NOPASSWD: ALL chadmin ALL=NOPASSWD: ALL # Members of the admin group may gain root privileges %admin ALL=(ALL) ALL # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL # See sudoers(5) for more information on "#include" directives: #includedir /etc/sudoers.d-
Lety almost 10 yearsCould you post your sudoers file? The directive is right, but it could not work due to the context. -
Zac almost 10 yearsThanks @Letizia - please see my update, anything jump out at you?
-
Zac almost 10 yearsI guess I should also note that I did not use
visudohowever any manual edits to this file were not copy-n-paste jobs, I typed everything in as-is. But doesvisudoedit other files besides this one? That might be it... -
Anwar almost 8 yearsPossible duplicate of Why is sudoers NOPASSWD option not working?
-
tokland almost 5 yearsAlso, check any files in/etc/sudoers.d/, they may be overriding things from/etc/sudoers
-
-
muru almost 10 yearsIndeed, so a combination of @Letizia's and your answers is the best, since the#includediris the last entry insudoersby default. -
shimatai over 4 yearsThe file's name should follow a convention of
nn-somename, for example/etc/sudoers.d/20-myoverrides -
Lety over 4 yearsYes, of course, if you have more than one file, these are parsed in sorted lexical order, so it is a good practice to use a number and it will be easy to know that order.
