Adding NOPASSWD in /etc/sudoers doesn't work
Solution 1
It is the sequence/ordering of the rules that caused this. The last rule takes preference.
In order to fix your problem, simply move your lines,
fizzbuzz ALL=NOPASSWD: ALL
chadmin ALL=NOPASSWD: ALL
from the sudoers
file to
sudo visudo -f /etc/sudoers.d/myOverrides
This is better approach than editing the sudoers
file with a plain text editor. If you accidentally insert errors into the file, you may not longer be able to run sudo
. Always use visudo
, so that the syntax is checked and you receive warnings about mistakes!
Your directive doesn't work because it is overridden by:
%admin ALL=(ALL) ALL
%sudo ALL=(ALL:ALL) ALL
If you run the groups
command you should see that your user belongs to these groups.
Solution 2
If myuser is in the sudo group, then this order of the lines won't provide passwordless access (as noted by Florian Diesch), because the 3rd line overrides the 1st one.
myuser ALL=(www-data:www-data) NOPASSWD: ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
So just put the lines into this order:
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
myuser ALL=(www-data:www-data) NOPASSWD: ALL
Under myuser account use sudo -l
to check what permissions myuser has.
Solution 3
If multiple entries match for a user the last one is used. So if fizzbuzz
and chadmin
are members of the groups admin
or sudo
they will be still asked for a password.
Put the two lines at the end of the sudoers
file after the #includedir
line.
Solution 4
Ideally if you are customizing what commands can be run via sudo
you should be making these changes in a separate file under /etc/sudoers.d/
instead of editing the sudoers
file directly. You should also always use visudo
to edit the file(s). You should NEVER grant NOPASSWD
on ALL
commands.
Example:
sudo visudo -f /etc/sudoers.d/mynotriskycommand
Insert your line granting permission:
myuser ALL= NOPASSWD: /bin/mkdir
Then save and exit and visudo
will warn you if you have any syntax errors.
You can run sudo -l
to see the permissions that your user has been granted, if any of the user specific NOPASSWD
commands appear BEFORE any %groupyouarein ALL=(ALL) ALL
command in the output you will be prompted for your password.
If you find yourself creating lots of these sudoers.d files then perhaps you will want to create them named per user so they are easier to visualize. Keep in mind that the ordering of the FILE NAMES and of the RULES within the file is very important, the LAST one loaded wins, whether it is MORE or LESS permissive than the previous entries.
You can control the file name ordering by using a prefix of 00-99 or aa/bb/cc, though also keep in mind that if you have ANY files that don't have numeric prefix, they will load after the numbered files, overriding the settings. This is because depending on your language settings the "lexical sorting" the shell uses sorts numbers first and then may interleave upper and lowercase when sorting in "ascending" order.
Try running printf '%s\n' {{0..99},{A-Z},{a-z}} | sort
and printf '%s\n' {{0..99},{A-Z},{a-z}} | LANG=C sort
to see whether your current language prints AaBbCc
etc or ABC
then abc
to determine what the best "last" letter prefix to use would be.
Zac
Updated on September 18, 2022Comments
-
Zac over 1 year
On 14.04 here. I SSHed into my machine, added the following line to
/etc/sudoers
:myuser ALL=NOPASSWD: ALL
And then tried running:
sudo mkdir /etc/blah
...and I'm being asked for my password. Why?!?
I do not want to be asked for my password when doing this operation. Please note that when I run
ls -ltr /
I get:drwxr-xr-x 94 root root 4096 Jul 30 13:28 etc
But I don't think this matters because I've set myself up as a "sudoer", right?
More importantly, what do I need to do so that I can run
sudo mkdir /etc/blah
as my current user (myuser
) without being asked for the password?Here's my entire
/etc/sudoers
file:# # This file MUST be edited with the 'visudo' command as root. # # Please consider adding local content in /etc/sudoers.d/ instead of # directly modifying this file. # # See the man page for details on how to write a sudoers file. # Defaults env_reset Defaults mail_badpass Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" # Host alias specification # User alias specification # Cmnd alias specification # User privilege specification root ALL=(ALL:ALL) ALL fizzbuzz ALL=NOPASSWD: ALL chadmin ALL=NOPASSWD: ALL # Members of the admin group may gain root privileges %admin ALL=(ALL) ALL # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL # See sudoers(5) for more information on "#include" directives: #includedir /etc/sudoers.d
-
Lety almost 10 yearsCould you post your sudoers file? The directive is right, but it could not work due to the context.
-
Zac almost 10 yearsThanks @Letizia - please see my update, anything jump out at you?
-
Zac almost 10 yearsI guess I should also note that I did not use
visudo
however any manual edits to this file were not copy-n-paste jobs, I typed everything in as-is. But doesvisudo
edit other files besides this one? That might be it... -
Anwar almost 8 yearsPossible duplicate of Why is sudoers NOPASSWD option not working?
-
tokland almost 5 yearsAlso, check any files in
/etc/sudoers.d/
, they may be overriding things from/etc/sudoers
-
-
muru almost 10 yearsIndeed, so a combination of @Letizia's and your answers is the best, since the
#includedir
is the last entry insudoers
by default. -
shimatai over 4 yearsThe file's name should follow a convention of
nn-somename
, for example/etc/sudoers.d/20-myoverrides
-
Lety over 4 yearsYes, of course, if you have more than one file, these are parsed in sorted lexical order, so it is a good practice to use a number and it will be easy to know that order.