Loading ...Linux Tips: Password usage in sudo (PASSWD / NOPASSWD)
If you are using sudo you most certainly know that the default setup will require the user running sudo to enter a password (by default the password of the user running sudo).
I will show you in this post what options sudo offers related to passwords and how they can be used.
Defaults
If you have an entry in your sudoers file that contains something like this:
admin ALL=(ALL) ALLthen sudo will require you to enter a password when running a command with sudo. This is the user password (and not the root password), in this case the password of the user “admin”.
targetpw
If for some reason you want to change this behavior, then you can use the sudo global flag targetpw. This is by default OFF, and if you set it like show bellow then the password you will be asked while running sudo will be the password of the target user (in our case the root password).
Defaults targetpwPersonally, I don’t see the use of this parameter and never used it myself… But maybe someone else will find it useful.
NOPASSWD
If you don’t want to be prompted for any password while running sudo then we can use the NOPASSWD parameter on a particular entry:
admin ALL = NOPASSWD: ALLthis parameter is the opposite of the default PASSWD and will no longer require any password for the user “admin” while running sudo. This can be of useful while running scripts that will launch sudo (in this case I would recommend to enable NOPASSWD only for the needed commands), or just if you don’t want to keep typing the password. Obviously with this commodity, you will reduce the security of sudo: if someone hacks the “admin” account then this can be easily used to gain root privileges.
authenticate
Another sudo option that can be used to control the prompt for a password is the global flag: authenticate. This is by default ON and this means that it will ask the user to authenticate with a password. This can be overwritten as seen above with the NOPASSWD on a particular entry. If we want to disable it globally, this can be done with:
Defaults !authenticateOnce set, this will disable authentication for all users that use the defaults like our “admin” sample from above. It can be overwritten on particular definition by setting the PASSWD parameter:
admin ALL=(ALL) PASSWD: ALLNote: this post doesn’t recommend you to disable the passwords usage in sudo (this is not a good idea, by the way), but just to show you what options are available and how you can use them. Knowing the security implications of disabling password usage in sudo, use them wisely based on your particular needs.
18th June 2006, 15:28
Why sudo can’t run cat /dev/null > /var/log/httpd/access.log?
18th June 2006, 18:07
There is no reason for that to not work. Just be sure that you have defined properly the user running sudo to allow it to run the cat (/bin/cat) program. For example one user that will only be allowed to run cat would look like:
(in /etc/sudoers):
some_user ALL = NOPASSWD: /bin/cat
(or allow the user to run all commands with sudo:
some_user ALL = NOPASSWD: ALL)
and then run it at the particular user:
sudo cat …(whatever parameters you need).
19th June 2006, 09:20
Hi Marius, my setting is: “planetmy ALL=(ALL) ALL” but still no luck either apache is running or off.
19th June 2006, 09:41
What happens? Do you get an error? Try to paste the command you are launching and what is the result.
3rd July 2006, 19:26
I am _asuuming_ you’re trying to run:
sudo cat /dev/null > /var/log/httpd/access.log
As far as I can see, this should Not Work. Cat may be ran as root, but the redirect is ran by the shell launching sudo. If this worked like above, the entire point of sudo would be gone. We do stuff like this by making a shell script with the redirect inside of it, then giving sudo access to that script.
If that worked like above, consider allowing someone to recycle a database server on a dev box. Then I could:
sudo /etc/init.d/oracle restart > /etc/shadow
And completely DOS the machine.
.02 given
5th July 2006, 20:21
Somthing like input redirection is possible with sudo using the tee(1) command, which is like cat, but logs stdin to a file before writing it to stdout.
For example, if /protected is a directory writable only by root, root can do this:
# echo “This is a new file” > /protected/newfile
and authorized sudoers can do this:
% echo “This is a new file” | tee /protected/newfile
The tee command can also append to a file. For example, where root can do this:
# echo “webmaster@example.com joe” >> /etc/mail/virtusertable
authorized sudoers can do this:
% echo “webmaster@example.com joe” | tee -a /etc/mail/virtusertable
This workaround provides replacements for the > and >> redirection operators. I don’t know a way to replace the | operator with a sudo-able command.
Hope this helps.
21st September 2006, 19:56
hi Marius,
I want only ONE command without password (but run with sudo) – all others with PASSWD
so trying like this:
user ALL=NOPASSWD: /bin/command
user ALL=(ALL) ALL
is not working
when I delete the last line then none command is asking for password – do I need too much ?
21st September 2006, 20:40
Hi,
This should work just fine… Just be careful to the order of the commands definition:
- first define the catch-all rule, and after that the individual ones, like:
user ALL=(ALL) PASSWD: ALL
user ALL=NOPASSWD: /bin/ps
22nd September 2006, 19:28
that works fine now
undocumented ?
12th September 2007, 13:11
@Lang Zerner
The tee example as non-root should be:
echo “webmaster@example.com joe†| sudo tee -a /etc/mail/virtusertable
9th June 2009, 16:48
Sudoer: raj (ALL) NOPASSWD: ALL
file1=/etc/nodename
newhost=whatever
sudo echo $newhost > $file1
When I run my script, I always get /etc/nodename permission denied or cannot create.
How can I run this command as a non-root user.
Any help is appreciated.
Raj
13th October 2009, 09:15
I tried to disable su password by adding the commands in /etc/sudoers in Red Hat
user_name ALL=(ALL) NOPASSWD:ALL
user_name ALL = NOPASSWD: ALL
Both commands are not working. Can i know how to solve it?
13th October 2009, 09:19
@Allan this should work just fine:
user ALL = NOPASSWD: ALL
Be sure there is not one rule above this one that superseeds it (group based or one for the user), as the order of the rules is important. hth.
14th October 2009, 06:12
@Marius
I already included user ALL = NOPASSWD: ALL in /etc/sudoers but it is not working. I still need to key in the password when su – is used.
Note that i use gedit to open the sudoers list and save it before the system goes to reboot.
I am using RED HAT ENTERPRISE 5.1 64bit. Please don’t mind to guide me because i am a Linux newbie.
18th October 2009, 09:45
@Allan: the syntax is good. Please check the rules above that one and to see what might be overwriting it. Either paste the full content of the sudoers file here or better use the contact for me send that to me directly if that is private. I will try to help you out if I see that. hth.
19th October 2009, 09:24
@Marius
I really appreciate that your efforts in solving my problem. Here i attach the full content of the sudoers file:
## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
##
## Examples are provided at the bottom of the file for collections
## of related commands, which can then be delegated out to particular
## users or groups.
##
## This file must be edited with the ‘visudo’ command.
## Host Aliases
## Groups of machines. You may prefer to use hostnames (perhap using
## wildcards for entire domains) or IP addresses instead.
# Host_Alias FILESERVERS = fs1, fs2
# Host_Alias MAILSERVERS = smtp, smtp2
## User Aliases
## These aren’t often necessary, as you can use regular groups
## (ie, from files, LDAP, NIS, etc) in this file – just use %groupname
## rather than USERALIAS
# User_Alias ADMINS = jsmith, mikem
## Command Aliases
## These are groups of related commands…
## Networking
Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
## Installation and management of software
Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
## Services
Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig
## Updating the locate database
Cmnd_Alias LOCATE = /usr/bin/updatedb
## Storage
Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount
## Delegating permissions
Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp
## Processes
Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall
## Drivers
Cmnd_Alias DRIVERS = /sbin/modprobe
# Defaults specification
#
# Disable “ssh hostname sudo “, because it will show the password in clear.
# You have to run “ssh -t hostname sudo “.
#
Defaults requiretty
Defaults env_reset
Defaults env_keep = “COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR \
LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \
LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \
LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \
LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \
_XKB_CHARSET XAUTHORITY”
## Next comes the main part: which users can run what software on
## which machines (the sudoers file can be shared between multiple
## systems).
## Syntax:
##
## user MACHINE=COMMANDS
##
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
## Allows members of the ‘sys’ group to run networking, software,
## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
## Allows people in group wheel to run all commands
# %wheel ALL=(ALL) ALL
## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
## Allows members of the users group to mount and unmount the
## cdrom as root
# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
## Allows members of the users group to shutdown this system
# %users localhost=/sbin/shutdown -h now
ftc ALL=NOPASSWD: ALL
19th October 2009, 09:36
@Marius
Eventually I am writing some shell script to support some RAID testing in my system. The script will require the system to login automatically in the normal user mode and then reboot again in one minute. Without the disable root password feature, the script cannot function well. I manage to run the script well in Ubuntu Server 9.04 but somehow I still feel headache to figure out the solution to disable the root password.
1st November 2009, 16:21
[...] http://www.ducea.com/ [...]
17th November 2009, 11:31
@Allen
You say you’re using “su -”. The sudoers file only works for the ‘sudo’ command. Sudo and su are two entirely different things.
19th July 2010, 00:27
Enabling sudo for cat may not be what you want. Imagine “cat mysudo-bin | cat > /usr/bin/sudo. Now the user has the ability to run any program they want as root, because mysudo-bin is a replacement program they wrote for “sudo”.
6th October 2010, 13:07
If you are trying to do this for a shells cript, remember to include the commands that are essential for that script to work. For example, I have a script that would run sudo gdb. IT’s not so much the shell script I need to put into sudoers but gdb.
8th April 2011, 08:58
When i try to mount using sudo mkdir /mnt/pendrive
Then it asks for password and i dont know the password please help! F1
8th April 2011, 09:13
@Roy: when sudo asks for a password this is normally your own user password.
9th April 2011, 02:59
@marius : thats not the problem..the problem is that i have forgotten mah password now how to recover it f1..
11th May 2011, 21:41
Hello.
I want to a allow a *single* bash script to run with root permissions (without me typing the password).
The script is located in /home/john/Documents/
My sudoers file is:
# This file MUST be edited with the ‘visudo’ command as root.
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
# See the man page for details on how to write a sudoers file.
Defaults env_reset
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL = (ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
#includedir /etc/sudoers.d
How do I change my sudoers file to accomplish this?
Thank you
12th May 2011, 11:05
@John, add something like this in your sudoers file:
user ALL = NOPASSWD: /home/john/Documents/mybashscript.sh
12th May 2011, 11:53
Hello Marius.
I tried it like this:
# See the man page for details on how to write a sudoers file.
Defaults env_reset
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL = (ALL:ALL) ALL
john ALL = NOPASSWD: /home/john/Documents/johnscript.sh
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
#includedir /etc/sudoers.d
It didn’t work
I’m using ubuntu 11.04
12th May 2011, 11:57
@John: what happens? It should work fine. I use this all the time in a similar way (mostly for limiting users, but also for nagios commands or similar).
12th May 2011, 12:19
Hello Marius.
I have inserted:
john ALL = NOPASSWD: /home/john/Documents/johnscript.sh
but it still asks for john’s password.
I remember setting this also -correctly- (in the past).
But now I just can’t do it.
It’s weird!
Do I need to add user “john” to “sudo” group or something?
12th May 2011, 12:23
@John, do you have john in any of the groups from above (admin, sudo)? If so add this line bellow the group ones.
12th May 2011, 12:33
How?
Like this?
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
#agostinho ALL = NOPASSWD: /home/agostinho/Documents/Burnintest.sh
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
agostinho ALL = NOPASSWD: /home/agostinho/Documents/Burnintest.sh
#includedir /etc/sudoers.d
12th May 2011, 12:34
yes something like that.
12th May 2011, 12:35
I’m using a different account name now Marius.
So instead of john it’s agostinho.
But the problem remains
12th May 2011, 12:37
Yeah, that should work. Can’t tell why is it not working for you. Try to test with a simple command instead of the bash script, like /usr/bin/id and see if that works.
12th May 2011, 13:32
Hello Marius,
Finally it’s working with the following sudoers file:
You were right!
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
agostinho ALL = NOPASSWD: /home/agostinho/Documents/Burnintest.sh
#includedir /etc/sudoers.d
I don’t have to type the password if I call the script like this:
sudo ./Documents/Burnintest.sh
But if I call the script like this:
./Documents/Burnintest.sh
It stills asks me for a password.
How can I bypass that?
Because I want to double-click the script’s name and that’s it.
I don’t want to type any password.
How can I do that?
Thank you Marius
12th May 2011, 13:34
The sudo prefix is preventing me from a simple double-click action.
12th May 2011, 21:52
@John: I don’t understand. This is how you run all the sudo commands, by adding the sudo prefix. This is how sudo works. Now the only way you can achieve that is run sudo inside your script on the particular step it needs super user rights. hth.
13th May 2011, 09:19
Hello Marius.
My script is something like:
#!/bin/bash
#bla bla bla (this is a section where i put some normal commands like ‘grep’ and stuff to determine if the PC is capable of running the BurnInTest program)
var1=”BurnInProg”
sudo $var1
exit 0
OK. That’s my script.
If I go into a terminal and type in:
sudo ./Documents/Burnintest.sh
Everything works OK and no password is required.
But if I go into a terminal and type in:
./Documents/Burnintest.sh
the terminal still asks me for a password, although as you can see in my script the sudo command is already there.
And that’s the part I don’t understand.
Because I’m basically using 2 sudo commands for the script to work with no password!
13th May 2011, 10:17
@John: ok, you need to add in your sudoers file the exact command you run with sudo (in your above example: BurnInProg). I would suggest to add it with full path and include it exactly the same in your script. This should fix your problem.
13th May 2011, 11:39
Hello Marius
It worked perfectly!!! uff…
Thank you for your incredible help and patience.
13th May 2011, 11:50
@John: you are welcome, happy I was able to help.
12th August 2011, 07:10
Hi to All,
How to use sudo without entering password,…i saw all posts but in my sudoers file, i dnt have this ” # Allow members of group sudo to execute any command”
Please any help me.
12th August 2011, 07:13
# Defaults specification
#
# Disable “ssh hostname sudo “, because it will show the password in clear.
# You have to run “ssh -t hostname sudo “.
#
Defaults requiretty
Defaults env_reset
Defaults env_keep = “COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS”
Defaults env_keep += “MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE”
Defaults env_keep += “LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES”
Defaults env_keep += “LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE”
Defaults env_keep += “LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY”
## Next comes the main part: which users can run what software on
## which machines (the sudoers file can be shared between multiple
## systems).
## Syntax:
##
## user MACHINE=COMMANDS
##
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
manohar ALL=(ALL) ALL
## Allows members of the ‘sys’ group to run networking, software,
## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
## Allows people in group wheel to run all commands
# %wheel ALL=(ALL) ALL
## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
## Allows members of the users group to mount and unmount the
## cdrom as root
# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
## Allows members of the users group to shutdown this system
# %users localhost=/sbin/shutdown -h now
– INSERT –
This is my sudoers file…
12th August 2011, 07:35
@Manohar you should have something like this in your sudoers:
manohar ALL = NOPASSWD: ALL
instead of:
manohar ALL=(ALL) ALL
16th August 2011, 03:18
Hello Marius..
It is working…
Thank you so much….!!!