MDLog:/sysadmin

The Journal Of A Linux Sysadmin

• Home
• Most Popular
• Contact
• About

Linux Tips: Password usage in sudo (PASSWD / NOPASSWD)

If you are using sudo you most certainly know that the default setup will require the user running sudo to enter a password (by default the password of the user running sudo).
I will show you in this post what options sudo offers related to passwords and how they can be used.

Defaults

If you have an entry in your sudoers file that contains something like this:

admin    ALL=(ALL) ALL

then sudo will require you to enter a password when running a command with sudo. This is the user password (and not the root password), in this case the password of the user “admin”.

targetpw

If for some reason you want to change this behavior, then you can use the sudo global flag targetpw. This is by default OFF, and if you set it like show bellow then the password you will be asked while running sudo will be the password of the target user (in our case the root password).

Defaults    targetpw

Personally, I don’t see the use of this parameter and never used it myself… But maybe someone else will find it useful.

NOPASSWD

If you don’t want to be prompted for any password while running sudo then we can use the NOPASSWD parameter on a particular entry:

admin    ALL = NOPASSWD: ALL

this parameter is the opposite of the default PASSWD and will no longer require any password for the user “admin” while running sudo. This can be of useful while running scripts that will launch sudo (in this case I would recommend to enable NOPASSWD only for the needed commands), or just if you don’t want to keep typing the password. Obviously with this commodity, you will reduce the security of sudo: if someone hacks the “admin” account then this can be easily used to gain root privileges.

authenticate

Another sudo option that can be used to control the prompt for a password is the global flag: authenticate. This is by default ON and this means that it will ask the user to authenticate with a password. This can be overwritten as seen above with the NOPASSWD on a particular entry. If we want to disable it globally, this can be done with:

Defaults    !authenticate

Once set, this will disable authentication for all users that use the defaults like our “admin” sample from above. It can be overwritten on particular definition by setting the PASSWD parameter:

admin    ALL=(ALL) PASSWD: ALL

Note: this post doesn’t recommend you to disable the passwords usage in sudo (this is not a good idea, by the way), but just to show you what options are available and how you can use them. Knowing the security implications of disabling password usage in sudo, use them wisely based on your particular needs.

Random Posts:

Posted in Centos, Debian, Fedora, Linux, RHEL, Security, Tips & Tricks | by - Marius -
You can leave a response, or trackback from your own site.

20 Responses to “Linux Tips: Password usage in sudo (PASSWD / NOPASSWD)”

• 1
  Planet Malaysia
  18th June 2006, 15:28

  Why sudo can’t run cat /dev/null > /var/log/httpd/access.log?
• 2
  - Marius -
  18th June 2006, 18:07

  There is no reason for that to not work. Just be sure that you have defined properly the user running sudo to allow it to run the cat (/bin/cat) program. For example one user that will only be allowed to run cat would look like:
  (in /etc/sudoers):
  some_user ALL = NOPASSWD: /bin/cat
  (or allow the user to run all commands with sudo:
  some_user ALL = NOPASSWD: ALL)

  and then run it at the particular user:
  sudo cat …(whatever parameters you need).
• 3
  planetmy
  19th June 2006, 09:20

  Hi Marius, my setting is: “planetmy ALL=(ALL) ALL” but still no luck either apache is running or off.
• 4
  - Marius -
  19th June 2006, 09:41

  What happens? Do you get an error? Try to paste the command you are launching and what is the result.
• 5
  Eric Aksomitis
  3rd July 2006, 19:26

  I am _asuuming_ you’re trying to run:
  sudo cat /dev/null > /var/log/httpd/access.log

  As far as I can see, this should Not Work. Cat may be ran as root, but the redirect is ran by the shell launching sudo. If this worked like above, the entire point of sudo would be gone. We do stuff like this by making a shell script with the redirect inside of it, then giving sudo access to that script.

  If that worked like above, consider allowing someone to recycle a database server on a dev box. Then I could:
  sudo /etc/init.d/oracle restart > /etc/shadow
  And completely DOS the machine.

  .02 given
• 6
  Lang Zerner
  5th July 2006, 20:21

  Somthing like input redirection is possible with sudo using the tee(1) command, which is like cat, but logs stdin to a file before writing it to stdout.

  For example, if /protected is a directory writable only by root, root can do this:

  # echo “This is a new file” > /protected/newfile

  and authorized sudoers can do this:

  % echo “This is a new file” | tee /protected/newfile

  The tee command can also append to a file. For example, where root can do this:

  # echo “webmaster@example.com joe” >> /etc/mail/virtusertable

  authorized sudoers can do this:

  % echo “webmaster@example.com joe” | tee -a /etc/mail/virtusertable

  This workaround provides replacements for the > and >> redirection operators. I don’t know a way to replace the | operator with a sudo-able command.

  Hope this helps.
• 7
  zygfryd
  21st September 2006, 19:56

  hi Marius,
  I want only ONE command without password (but run with sudo) – all others with PASSWD
  so trying like this:
  user ALL=NOPASSWD: /bin/command
  user ALL=(ALL) ALL
  is not working
  when I delete the last line then none command is asking for password – do I need too much ?
• 8
  - Marius -
  21st September 2006, 20:40

  Hi,

  This should work just fine… Just be careful to the order of the commands definition:
  - first define the catch-all rule, and after that the individual ones, like:
  user ALL=(ALL) PASSWD: ALL
  user ALL=NOPASSWD: /bin/ps
• 9
  zygfryd
  22nd September 2006, 19:28

  that works fine now
  undocumented ?
• 10
  AeonFlux
  12th September 2007, 13:11

  @Lang Zerner

  The tee example as non-root should be:

  echo “webmaster@example.com joe” | sudo tee -a /etc/mail/virtusertable
• 11
  Raj
  9th June 2009, 16:48

  Sudoer: raj (ALL) NOPASSWD: ALL

  file1=/etc/nodename
  newhost=whatever

  sudo echo $newhost > $file1

  When I run my script, I always get /etc/nodename permission denied or cannot create.

  How can I run this command as a non-root user.

  Any help is appreciated.

  Raj
• 12
  Allan
  13th October 2009, 09:15

  I tried to disable su password by adding the commands in /etc/sudoers in Red Hat

  user_name ALL=(ALL) NOPASSWD:ALL
  user_name ALL = NOPASSWD: ALL

  Both commands are not working. Can i know how to solve it?
• 13
  - Marius -
  13th October 2009, 09:19

  @Allan this should work just fine:
  user ALL = NOPASSWD: ALL

  Be sure there is not one rule above this one that superseeds it (group based or one for the user), as the order of the rules is important. hth.
• 14
  Allan
  14th October 2009, 06:12

  @Marius

  I already included user ALL = NOPASSWD: ALL in /etc/sudoers but it is not working. I still need to key in the password when su – is used.

  Note that i use gedit to open the sudoers list and save it before the system goes to reboot.

  I am using RED HAT ENTERPRISE 5.1 64bit. Please don’t mind to guide me because i am a Linux newbie.
• 15
  - Marius -
  18th October 2009, 09:45

  @Allan: the syntax is good. Please check the rules above that one and to see what might be overwriting it. Either paste the full content of the sudoers file here or better use the contact for me send that to me directly if that is private. I will try to help you out if I see that. hth.
• 16
  Allan
  19th October 2009, 09:24

  @Marius

  I really appreciate that your efforts in solving my problem. Here i attach the full content of the sudoers file:

  ## Sudoers allows particular users to run various commands as
  ## the root user, without needing the root password.
  ##
  ## Examples are provided at the bottom of the file for collections
  ## of related commands, which can then be delegated out to particular
  ## users or groups.
  ##
  ## This file must be edited with the ‘visudo’ command.

  ## Host Aliases
  ## Groups of machines. You may prefer to use hostnames (perhap using
  ## wildcards for entire domains) or IP addresses instead.
  # Host_Alias FILESERVERS = fs1, fs2
  # Host_Alias MAILSERVERS = smtp, smtp2

  ## User Aliases
  ## These aren’t often necessary, as you can use regular groups
  ## (ie, from files, LDAP, NIS, etc) in this file – just use %groupname
  ## rather than USERALIAS
  # User_Alias ADMINS = jsmith, mikem

  ## Command Aliases
  ## These are groups of related commands…

  ## Networking
  Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool

  ## Installation and management of software
  Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum

  ## Services
  Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig

  ## Updating the locate database
  Cmnd_Alias LOCATE = /usr/bin/updatedb

  ## Storage
  Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount

  ## Delegating permissions
  Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp

  ## Processes
  Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall

  ## Drivers
  Cmnd_Alias DRIVERS = /sbin/modprobe

  # Defaults specification

  #
  # Disable “ssh hostname sudo “, because it will show the password in clear.
  # You have to run “ssh -t hostname sudo “.
  #
  Defaults requiretty

  Defaults env_reset
  Defaults env_keep = “COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR \
  LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \
  LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \
  LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \
  LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \
  _XKB_CHARSET XAUTHORITY”

  ## Next comes the main part: which users can run what software on
  ## which machines (the sudoers file can be shared between multiple
  ## systems).
  ## Syntax:
  ##
  ## user MACHINE=COMMANDS
  ##
  ## The COMMANDS section may have other options added to it.
  ##
  ## Allow root to run any commands anywhere
  root ALL=(ALL) ALL

  ## Allows members of the ‘sys’ group to run networking, software,
  ## service management apps and more.
  # %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS

  ## Allows people in group wheel to run all commands
  # %wheel ALL=(ALL) ALL

  ## Same thing without a password
  # %wheel ALL=(ALL) NOPASSWD: ALL

  ## Allows members of the users group to mount and unmount the
  ## cdrom as root
  # %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom

  ## Allows members of the users group to shutdown this system
  # %users localhost=/sbin/shutdown -h now
  ftc ALL=NOPASSWD: ALL
• 17
  Allan
  19th October 2009, 09:36

  @Marius

  Eventually I am writing some shell script to support some RAID testing in my system. The script will require the system to login automatically in the normal user mode and then reboot again in one minute. Without the disable root password feature, the script cannot function well. I manage to run the script well in Ubuntu Server 9.04 but somehow I still feel headache to figure out the solution to disable the root password.
• 18
  dunull.org » Blog Archive » sudo - without password
  1st November 2009, 16:21

  [...] http://www.ducea.com/ [...]
• 19
  Ingmar
  17th November 2009, 11:31

  @Allen

  You say you’re using “su -”. The sudoers file only works for the ‘sudo’ command. Sudo and su are two entirely different things.
• 20
  Trenton D. Adams
  19th July 2010, 00:27

  Enabling sudo for cat may not be what you want. Imagine “cat mysudo-bin | cat > /usr/bin/sudo. Now the user has the ability to run any program they want as root, because mysudo-bin is a replacement program they wrote for “sudo”.

Leave a Reply