Sudoers NOPASSWD for single executable but allowing others
Solution 1
man 5 sudoers
says ("Sudoers File Format" section):
When multiple entries match for a user, they are applied in order. Where there are multiple matches, the last match is used (which is not necessarily the most specific match).
So you should have these lines exactly in this order:
username ALL=(ALL) ALL
username ALL=(ALL) NOPASSWD: /home/username/script.sh
and any line that also matches (like e.g. %sudo ALL=(ALL:ALL) ALL
) should be before the NOPASSWD
line.
General note: #include
and #includedir
allow sudoers
to include other files. Don't let #
fool you, these are not comments. While searching for entries that may interfere, you shouldn't omit what #include
and #includedir
point to. Helpful option: sudo -l
.
Solution 2
You will often find a line like this in /etc/sudoers
:
# Allow members of group sudo to execute any command
%wheel ALL=(ALL:ALL) ALL
This will allow any user that is in the "wheel" group to make use of sudo
with suitable proof of identity (e.g: their password). The nominated group may also be "sudo", "admin", or others... (e.g: line starts with %sudo
)
If this is present in the file, then run id
to see what groups you're in:
$ id
uid=1000(attie) gid=1000(attie) groups=1000(attie),27(sudo),117(docker)
If your user isn't in the appropriate group, then you must add your user to that group.
An alternative would be to list both of your rules one-by-one, with the last matching rule taking effect (i.e: order is important):
username ALL=(ALL) ALL
username ALL=(ALL) NOPASSWD: /home/username/script.sh
See the ArchWiki page on sudo: https://wiki.archlinux.org/index.php/sudo#Example_entries
Related videos on Youtube
Comments
-
Yaroslav Mytkalyk over 1 year
Operating System:
Arch Linux
Linux version:
4.16.11
Sudo version:
1.8.23
What I need:
- be able to execute
any executable
with asudo
with a password prompt - be able to execute one executable,
/home/username/script.sh
, without a password prompt.
When I configure like this
username ALL=(ALL) NOPASSWD: /home/username/script.sh
I have the desired effect on the
script.sh
, but I cannot execute any otherexecutable
withsudo
.Example
$ sudo ./script.sh # runs fine!
Attempt something other
$ sudo nano /etc/sudoers [sudo] password for username: Sorry, user username is not allowed to execute '/usr/bin/nano /etc/sudoers' as root on hostname.
Seems this is a result of replacing
ALL
withNOPASSWD
, and seems I need both. If thesudoers
file hasALL
for the user, I can execute whatever I want with password promptusername ALL=(ALL) ALL
I tried to combine ALL and NOPASSWD but had no results
username ALL=(ALL) ALL, NOPASSWD: /home/username/script.sh
Like this it asks for password for
script.sh
.Can I have both?
-
NieDzejkob almost 6 yearsPlease note that if the user has write permissions on the file, he can bypass the password check easily by editing it. The
NOPASSWD
options should be used for executables that can't be changed by the users, like, sayifconfig
for a network admin.
- be able to execute
-
Yaroslav Mytkalyk almost 6 yearsThank you. Though you answered first, Kamil was the first to provide the answer that suits me better, thus accepted answer is Kamil's.