Loading ...
Linux Tips: Password usage in sudo (PASSWD / NOPASSWD)
If you are using sudo you most certainly know that the default setup will require the user running sudo to enter a password (by default the password of the user running sudo).
I will show you in this post what options sudo offers related to passwords and how they can be used.
Defaults
If you have an entry in your sudoers file that contains something like this:
admin ALL=(ALL) ALLthen sudo will require you to enter a password when running a command with sudo. This is the user password (and not the root password), in this case the password of the user “admin”.
targetpw
If for some reason you want to change this behavior, then you can use the sudo global flag targetpw. This is by default OFF, and if you set it like show bellow then the password you will be asked while running sudo will be the password of the target user (in our case the root password).
Defaults targetpwPersonally, I don’t see the use of this parameter and never used it myself… But maybe someone else will find it useful.
NOPASSWD
If you don’t want to be prompted for any password while running sudo then we can use the NOPASSWD parameter on a particular entry:
admin ALL = NOPASSWD: ALLthis parameter is the opposite of the default PASSWD and will no longer require any password for the user “admin” while running sudo. This can be of useful while running scripts that will launch sudo (in this case I would recommend to enable NOPASSWD only for the needed commands), or just if you don’t want to keep typing the password. Obviously with this commodity, you will reduce the security of sudo: if someone hacks the “admin” account then this can be easily used to gain root privileges.
authenticate
Another sudo option that can be used to control the prompt for a password is the global flag: authenticate. This is by default ON and this means that it will ask the user to authenticate with a password. This can be overwritten as seen above with the NOPASSWD on a particular entry. If we want to disable it globally, this can be done with:
Defaults !authenticateOnce set, this will disable authentication for all users that use the defaults like our “admin” sample from above. It can be overwritten on particular definition by setting the PASSWD parameter:
admin ALL=(ALL) PASSWD: ALLNote: this post doesn’t recommend you to disable the passwords usage in sudo (this is not a good idea, by the way), but just to show you what options are available and how you can use them. Knowing the security implications of disabling password usage in sudo, use them wisely based on your particular needs.
18th June 2006, 15:28
Why sudo can’t run cat /dev/null > /var/log/httpd/access.log?
18th June 2006, 18:07
There is no reason for that to not work. Just be sure that you have defined properly the user running sudo to allow it to run the cat (/bin/cat) program. For example one user that will only be allowed to run cat would look like:
(in /etc/sudoers):
some_user ALL = NOPASSWD: /bin/cat
(or allow the user to run all commands with sudo:
some_user ALL = NOPASSWD: ALL)
and then run it at the particular user:
sudo cat …(whatever parameters you need).
19th June 2006, 09:20
Hi Marius, my setting is: “planetmy ALL=(ALL) ALL” but still no luck either apache is running or off.
19th June 2006, 09:41
What happens? Do you get an error? Try to paste the command you are launching and what is the result.
3rd July 2006, 19:26
I am _asuuming_ you’re trying to run:
sudo cat /dev/null > /var/log/httpd/access.log
As far as I can see, this should Not Work. Cat may be ran as root, but the redirect is ran by the shell launching sudo. If this worked like above, the entire point of sudo would be gone. We do stuff like this by making a shell script with the redirect inside of it, then giving sudo access to that script.
If that worked like above, consider allowing someone to recycle a database server on a dev box. Then I could:
sudo /etc/init.d/oracle restart > /etc/shadow
And completely DOS the machine.
.02 given
5th July 2006, 20:21
Somthing like input redirection is possible with sudo using the tee(1) command, which is like cat, but logs stdin to a file before writing it to stdout.
For example, if /protected is a directory writable only by root, root can do this:
# echo “This is a new file” > /protected/newfile
and authorized sudoers can do this:
% echo “This is a new file” | tee /protected/newfile
The tee command can also append to a file. For example, where root can do this:
# echo “webmaster@example.com joe” >> /etc/mail/virtusertable
authorized sudoers can do this:
% echo “webmaster@example.com joe” | tee -a /etc/mail/virtusertable
This workaround provides replacements for the > and >> redirection operators. I don’t know a way to replace the | operator with a sudo-able command.
Hope this helps.
21st September 2006, 19:56
hi Marius,
I want only ONE command without password (but run with sudo) - all others with PASSWD
so trying like this:
user ALL=NOPASSWD: /bin/command
user ALL=(ALL) ALL
is not working
when I delete the last line then none command is asking for password - do I need too much ?
21st September 2006, 20:40
Hi,
This should work just fine… Just be careful to the order of the commands definition:
- first define the catch-all rule, and after that the individual ones, like:
user ALL=(ALL) PASSWD: ALL
user ALL=NOPASSWD: /bin/ps
22nd September 2006, 19:28
that works fine now
undocumented ?
12th September 2007, 13:11
@Lang Zerner
The tee example as non-root should be:
echo “webmaster@example.com joe†| sudo tee -a /etc/mail/virtusertable