Sudoers NOPASSWD for single executable but allowing others

linux permissions sudo gnu sudoers
9,298

Solution 1

man 5 sudoers says ("Sudoers File Format" section):

When multiple entries match for a user, they are applied in order. Where there are multiple matches, the last match is used (which is not necessarily the most specific match).

So you should have these lines exactly in this order:

username ALL=(ALL) ALL
username ALL=(ALL) NOPASSWD: /home/username/script.sh

and any line that also matches (like e.g. %sudo ALL=(ALL:ALL) ALL) should be before the NOPASSWD line.

General note: #include and #includedir allow sudoers to include other files. Don't let # fool you, these are not comments. While searching for entries that may interfere, you shouldn't omit what #include and #includedir point to. Helpful option: sudo -l.

Solution 2

You will often find a line like this in /etc/sudoers:

# Allow members of group sudo to execute any command
%wheel   ALL=(ALL:ALL) ALL

This will allow any user that is in the "wheel" group to make use of sudo with suitable proof of identity (e.g: their password). The nominated group may also be "sudo", "admin", or others... (e.g: line starts with %sudo)

If this is present in the file, then run id to see what groups you're in:

$ id
uid=1000(attie) gid=1000(attie) groups=1000(attie),27(sudo),117(docker)

If your user isn't in the appropriate group, then you must add your user to that group.

An alternative would be to list both of your rules one-by-one, with the last matching rule taking effect (i.e: order is important):

username ALL=(ALL) ALL
username ALL=(ALL) NOPASSWD: /home/username/script.sh

See the ArchWiki page on sudo: https://wiki.archlinux.org/index.php/sudo#Example_entries

Share:
9,298

Related videos on Youtube

Yaroslav Mytkalyk
Author by

Yaroslav Mytkalyk

Android software engineer Github LinkedIn

Updated on September 18, 2022

Comments

  • Yaroslav Mytkalyk
    Yaroslav Mytkalyk over 1 year

    Operating System: Arch Linux

    Linux version: 4.16.11

    Sudo version: 1.8.23

    What I need:

    • be able to execute any executable with a sudo with a password prompt
    • be able to execute one executable, /home/username/script.sh, without a password prompt.

    When I configure like this

    username ALL=(ALL) NOPASSWD: /home/username/script.sh

    I have the desired effect on the script.sh, but I cannot execute any other executable with sudo.

    Example

    $ sudo ./script.sh # runs fine!

    Attempt something other

    $ sudo nano /etc/sudoers
[sudo] password for username: 
Sorry, user username is not allowed to execute '/usr/bin/nano 
/etc/sudoers' as root on hostname.

    Seems this is a result of replacing ALL with NOPASSWD, and seems I need both. If the sudoers file has ALL for the user, I can execute whatever I want with password prompt

    username ALL=(ALL) ALL

    I tried to combine ALL and NOPASSWD but had no results

    username ALL=(ALL) ALL, NOPASSWD: /home/username/script.sh

    Like this it asks for password for script.sh.

    Can I have both?

    • NieDzejkob
      NieDzejkob almost 6 years
      Please note that if the user has write permissions on the file, he can bypass the password check easily by editing it. The NOPASSWD options should be used for executables that can't be changed by the users, like, say ifconfig for a network admin.
  • Yaroslav Mytkalyk
    Yaroslav Mytkalyk almost 6 years
    Thank you. Though you answered first, Kamil was the first to provide the answer that suits me better, thus accepted answer is Kamil's.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

`sudo adduser username admin` leads to `adduser: The group `admin' does not exist.`
Regex in Sudoers File?
nagios nrpe plugin: permission issue
why operation not permitted when kill a nonexistent process and why need to be killed with sudo
How to avoid "root is not allowed to run sudo"?
sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?
Lost permission to use sudo commands
Can someone explain what is `<user> ALL=(ALL) NOPASSWD:ALL` does in sudoers file?
Wrong permissions after sudo midnight commander
Ubuntu: Write to serial port: permission denied