proper configuration of visudo NOPASSWD for bash backup script

bash sudo password

11,615

Solution 1

I was successful in using the following examples as you've described. Sample scripts:

top.bash

$ cat /tmp/top.bash    
#!/bin/bash

echo "running $0"
sudo -v 
whoami
sudo /tmp/bott.bash

bott.bash

$ more /tmp/bott.bash
#!/bin/bash

echo "running $0"
whoami

Now with the following modification to sudo:

## Allow root to run any commands anywhere 
root    ALL=(ALL)       ALL
sam     ALL=(ALL)       NOPASSWD:/tmp/top.bash

Now as user sam:

$ sudo /tmp/top.bash 
running /tmp/top.bash
root
running /tmp/bott.bash
root

What about running top.bash without sudo?

If I alter the /etc/sudoers file like so:

sam     ALL=(ALL)       NOPASSWD:/tmp/top.bash,/tmp/bott.bash

And then just run /tmp/top.bash as user saml:

$ /tmp/top.bash 
running /tmp/top.bash
sam
running /tmp/bott.bash
root

I get the above. Which is what I would expect.

Solution 2

If you use Ubuntu, you should add your line at the end of /etc/sudoers, so no others lines can override your entry.

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d

If your entry goes before %sudo entry, it will override your entry, because in Ubuntu, you are in sudo group:

$ id
uid=1000(cuonglm) gid=1000(cuonglm) groups=1000(cuonglm),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),109(lpadmin),124(sambashare)

And you must allow both your wrapper script and actual script (In your case, it's /usr/local/bin/backup and /opt/storeBackup/bin/storeBackup.pl)

11,615

Jarek

You may be interested in the story of SE moderator Monica Cellio and how she was unfairly treated by the corporate management of this site. More info here. An update is available. Let's hope we can cultivate a more fair environment for content creators and moderators going forward.

Updated on September 18, 2022

Comments

Jarek over 1 year
The abstract question is:

If script x calls program y, do I need a NOPASSWD entry in /etc/sudoers for x, y or both x & y? (And can x then call sudo -v without a password?)

Details:

I'm trying to figure out what should go into the /etc/sudoers file to allow a user on Ubuntu (i.e., user ID 1000 who has sudo privileges) to execute a pre-configured full backup without entering a password.

My backup script is: /usr/local/bin/backup
(See below for script.)

The actual backup program called by my script is /opt/storeBackup/bin/storeBackup.pl
(See http://storebackup.org/)

I tried several approaches with visudo but regardless of what I tried, I was still prompted for the password when running the script.

I expected that adding a final line to /etc/sudoers (using visudo) like the following would work:
```
myuser ALL=(ALL) NOPASSWORD:/usr/local/bin/backup
```
That didn't work. Neither did this:
```
myuser ALL=(ALL) NOPASSWORD:/usr/local/bin/backup, /opt/storeBackup/bin/storeBackup.pl
```
Is the problem due to my script calling sudo -v near the beginning? Or is something else the problem?

To execute the following script, I expect the user to open a terminal and type backup. I want it to be that simple and I don't want them to be prompted for a password at all.
```
#!/bin/bash

sudo -v
# Keep-alive: update existing sudo time stamp if set, otherwise do nothing.
while true; do sudo -n true; sleep 60; kill -0 "$$" || exit; done 2>/dev/null &

#do a bunch of stuff that could take a while...

#finally, do backup without asking for password:
sudo /opt/storeBackup/bin/storeBackup.pl -f backup.conf
```
Thanks
- jordanm about 10 years
  
  Have you tried removing everything except for the last line? You haven't given your user permission to run true with no password and those lines are completely unnecessary anyways.
Jarek about 10 years

Thanks. This all works for me, except for sudo -v in top.bash (and the while loop in my original script). Maybe I can find a way around using those...
Jarek about 10 years

I ran /tmp/top.bash without sudo and as my regular user; that's how my real script gets called. It worked. It even works if I add in the while true loop. But in my real script it does not work unless I remove sudo -v and the while true loop. However, I see no differences in the code at all. Very strange...
slm about 10 years

@MountainX - see updates.
Jarek about 10 years

Thanks. Yes, I had to do the same alteration of /etc/sudoers. So our results are the same for the test script. But my actual script chokes on sudo -v (as in top.bash) and I cannot find any differences in the code (or file permissions).
slm about 10 years

@MountainX - is apparmor enabled? I'm wondering if it's interfering w/ the locations of scripts even though sudo is allowing it.
Jarek about 10 years

I am not using apparmor.
slm about 10 years

@MountainX - To try and dredge up more info I'd try running it like this: strace -s 2000 -o sudo.log /tmp/top.bash.