Home Linux Security How To Run Sudo Commands Without Password In Linux

How To Run Sudo Commands Without Password In Linux

A Step-by-Step Guide to Configure Passwordless Sudo Access to Specific Commands in Linux.

By sk
Published: Last Updated on 51.8K views

In Linux, you can allow specific commands to be executed without entering the sudo password by configuring the sudoers file appropriately. The sudoers file determines which users can run certain commands with administrative privileges (using sudo) and whether they need to provide a password for those commands. To achieve running particular sudo commands without a password, follow the steps described in this tutorial.

Introduction

One of my clients uses a script on an Ubuntu system. The main purpose of the script is to check the status of a specific service at regular intervals (precisely every one minute) and automatically restart it if it's not running.

However, starting the service requires sudo privileges, which normally prompts for a password. The client wants to avoid entering the password every time the script runs. He wants to run the service with sudo but without the need for a password. This way, the script can run smoothly without any manual intervention.

If you've ever been in a similar situation, you can configure password-less sudo access to specific commands and run those particular commands without sudo password in Linux and Unix-like operating systems.

If you still don't understand, have a look at the following example.

$ sudo mkdir /ostechnix
[sudo] password for sk:
Run a command with sudo rights
Run a command with sudo rights

As you can see in the above screenshot, I have to provide sudo password when creating a directory named ostechnix in root (/) folder. Whenever we try to execute a command with sudo privileges, we must enter the password. However, I don't want to provide the sudo password every time. This is what we going to solve in the this guide.

Before we delve into the topic of running a sudo command without a password in Linux, it's important to first discuss the benefits of setting up password-less sudo authentication for sudo commands and the security risks associated with it.

Advantages of Configuring Password-less Sudo Access

Allowing specific commands to be executed without entering the sudo password can be a matter of convenience and automation for certain use cases. However, it comes with potential security risks and should be done judiciously. Here are some reasons why someone might choose to configure sudo to skip password prompts for certain commands:

  1. Script Automation: In some cases, users may have scripts or automated processes that need to run certain commands with administrative privileges. By allowing these specific commands without a password, the automation process becomes smoother and doesn't require manual intervention.
  2. Frequent Administrative Tasks: For power users or system administrators who frequently perform specific administrative tasks that require sudo, bypassing the password prompt for these well-known, safe commands can save time and reduce frustration.
  3. Single-User Systems: On single-user systems where the user is the sole administrator, some users prefer to avoid entering their password repeatedly for administrative tasks. However, it's essential to recognize that even on single-user systems, malware or unauthorized users could still potentially abuse this configuration if they gain access to the user's account.
  4. Limited Privileges: In certain scenarios, you might want to give a user limited administrative privileges for specific commands without granting full unrestricted sudo access. This can be useful to delegate specific tasks to different users.

Security Concerns

While these reasons might be valid in specific circumstances, there are some notable security concerns:

  1. Security Risk: Allowing passwordless execution of privileged commands can lead to security vulnerabilities. If an attacker gains access to the user's account, they could execute these commands with administrative privileges without needing to know the account's password.
  2. Misconfiguration: Incorrectly setting up passwordless sudo access can create security holes or even lock you out of your system if you make a mistake in the sudoers file.
  3. Command Hijacking: If an attacker can modify a script or binary that the user can execute with sudo, they effectively gain root access without a password prompt.
  4. Account Compromise: On multi-user systems, if one user's account is compromised, the attacker can abuse passwordless sudo to escalate privileges.

Due to these security risks, it's essential to carefully consider whether the convenience outweighs the potential dangers. If you decide to enable passwordless sudo for specific commands, ensure you limit the commands to only those necessary and maintain a secure system configuration. Always practice the principle of least privilege and regularly review the sudoers file to avoid unnecessary exposure.

Disclaimer: This information is intended solely for educational purposes and requires extreme caution when implementing. The method can be both beneficial and harmful. For instance, if users are granted permission to execute the 'rm' command without a sudo password, they may inadvertently or deliberately delete important files. The commands provided below are purely for demonstration purposes, and it is crucial not to execute them on a production system under any circumstances. If you are unsure about the implications or consequences, it is highly advised to carry out this exercise in a virtual machine and use it as an opportunity to understand the underlying concept. You have been warned.

Run Particular Sudo Commands without Sudo Password

To run particular commands without sudo password in Linux, you can use the NOPASSWD directive in the /etc/sudoers file. This directive allows you to specify a list of commands that can be run without requiring a password.

For example, to allow the user user1 to run specific commands without a password, you would add the following line to the /etc/sudoers file:

user1 ALL=(root) NOPASSWD: /path/to/command1, /path/tocommand2

Here are some additional things to keep in mind:

  • The NOPASSWD directive only applies to the specific commands that you list. If you try to run a command that is not listed, you will still be prompted for a password.
  • The NOPASSWD directive can be used to allow users to run commands as root. This should only be done if you are confident that the users will not misuse this privilege.

Let us see an example.

I wish to allow the user named "sk" to execute the "mkdir" command without needing to enter the sudo password.

As I already said, In order to allow a user to run a certain command without the sudo password, you need to add that particular command in the sudoers file.

Edit sudoers file using:

$ sudo visudo

Add the following line at the end of file.

sk ALL=NOPASSWD:/bin/mkdir
Edit sudoers file
Edit sudoers file

Here, sk is the username. As per the above line, the user sk can run 'mkdir' command from any terminal, without sudo password. Replace the username and the command path with our own.

You can add additional commands (for example usermod) with comma-separated values as shown below.

sk ALL=NOPASSWD:/bin/mkdir,/bin/usermod

Save and close the file.

To ensure there are no syntax errors in the sudoers file, run the following command:

$ sudo visudo -c

If everything is fine, it should display a message like "sudoers file parsed OK".

/etc/sudoers: parsed OK
/etc/sudoers.d/README: parsed OK
/etc/sudoers.d/zfs: parsed OK

Log out (or reboot) your system. Now, log in as normal user 'sk' and try to run those commands with sudo and see what happens.

$ sudo mkdir /dir1
Run a command without sudo password in Linux
Run a command without sudo password in Linux

See? Even though I ran 'mkdir' command with sudo privileges, there was no password prompt. From now on, the user sk don't have to enter the sudo password while running 'mkdir' command.

When running all other commands except those commands added in sudoers files, you will be prompted to enter the sudo password.

Let us verify it by running another command with sudo.

$ sudo apt update
Run apt update command
Run apt update command

See? This command prompts me to enter the sudo password.

If you don't want to be prompted the sudo password when running the apt command, edit sudoers file:

$ sudo visudo

Add the 'apt' command in visudo file like below:

sk ALL=NOPASSWD: /bin/mkdir,/usr/bin/apt

Did you notice that the apt binary executable file path is different from mkdir? Yes, you must provide the correct executable file path.

To find executable file path of any command, for example 'apt', you can use either 'which' or 'whereis' commands.

$ which apt
/usr/bin/apt
$ whereis apt
apt: /usr/bin/apt /usr/lib/apt /etc/apt /usr/share/man/man8/apt.8.gz

As you can see, the executable file for apt command is /usr/bin/apt, hence I added the exact path in the sudoers file.

Like I already mentioned, you can add any number of commands with comma-separated values. Save and close your sudoers file once you're done. Log out and log back in to your system.

Now, check if you can be able to run the command without using the sudo password:

$ sudo apt update
Run apt update command without sudo password
Run apt update command without sudo password

See? The apt command didn't prompt me the sudo password even though I executed it with sudo.

Here is yet another example. If you want to run a specific service, for example apache2, add the following line in the sudoers file.

sk ALL=NOPASSWD:/bin/mkdir,/usr/bin/apt,/bin systemctl restart apache2

Replace the username with your own. Now, the user can run 'sudo systemctl restart apache2' command without sudo password.

Execute Certain Sudo Commands with or without Entering Sudo Password

In the sudoers file, you can use both the PASSWD and NOPASSWD directives to allow a specific user to execute certain commands with or without entering a password.

To achieve this, you need to create separate entries for each command with different settings. Here's an example of how to do it:

Let's assume you want to allow the user "user2" to run two commands (command1 and command2) with a password prompt and one command (command3) without a password prompt.

Open the sudoers file in edit mode using visudo:

$ sudo visudo

Add the following lines to the sudoers file:

# Command1 and Command2 require password prompt
user2    ALL=(ALL) PASSWD: /path/to/command1
user2    ALL=(ALL) PASSWD: /path/to/command2

# Command3 does not require password prompt
user2    ALL=(ALL) NOPASSWD: /path/to/command3

Replace /path/to/command1, /path/to/command2, and /path/to/command3 with the actual paths to the respective commands you want to allow. Also replace the usernames with your own.

Save and close the sudoers file.

With these entries in the sudoers file, the user "user2" will be prompted to enter their password when executing command1 or command2, but they won't be asked for a password when running command3.

You can also use both the PASSWD and NOPASSWD directives in a single line of the sudoers file. This is achieved by specifying the settings for different commands within the same line. However, it's essential to be careful with the syntax to ensure it is correct.

Here's an example of how you can use both directives in a single line:

user2    ALL=(ALL) PASSWD: /path/to/command1, PASSWD: /path/to/command2, NOPASSWD: /path/to/command3

In this example:

  • command1 and command2 will require the user "user2" to enter their password when executing them.
  • command3 will not prompt for a password when executed by "user2."

Again, when editing the sudoers file, use visudo to prevent syntax errors and avoid compromising your system's security. Always double-check the configuration, and use this approach judiciously for commands that truly require these specific settings.

Look at the following example.

Add/modify the following line in the sudoers file.

sk ALL=NOPASSWD:/bin/mkdir,/bin/usermod, PASSWD:/usr/bin/apt

In this case, the user sk can run 'mkdir' and 'usermod' commands without entering the sudo password. However, he must provide sudo password when running 'apt' command.

Disable Password-less Sudo Access

To re-enable the sudo password prompt for specific commands, you need to remove or comment out the corresponding lines in the sudoers file. This will restore the default behavior, prompting the user for their password when executing the specified commands with sudo. Here's how you can do it:

1. Open the sudoers file in edit mode using visudo:

$ sudo visudo

2. Locate the lines that grant password-less sudo access to the specific commands. These lines should have the NOPASSWD directive.

3. To remove the password-less access, simply delete the lines containing the specific commands. Alternatively, you can comment out the lines by placing a # at the beginning of each line.

For example, if the previous configuration looked like this:

username   ALL=(ALL) NOPASSWD: /path/to/command1
username   ALL=(ALL) NOPASSWD: /path/to/command2

You can either remove these lines entirely or comment them out like this:

# username   ALL=(ALL) NOPASSWD: /path/to/command1
# username   ALL=(ALL) NOPASSWD: /path/to/command2

Save the changes and close the sudoers file.

4. To apply the modifications, you may need to log out and log back in or start a new terminal session.

After performing these steps, the specific commands will once again require the user to enter their sudo password to execute them with elevated privileges.

Frequently Asked Questions

Here's a few FAQs about Password-less Sudo Access in Linux.

Q: What is password-less sudo access in Linux?

A: Password-less sudo access allows certain users to execute specific commands with administrative privileges (using sudo) without being prompted to enter their password.

Q: How can I set up password-less sudo access for a user?

A: To enable password-less sudo access for a user, you need to edit the sudoers file using the visudo command and add an appropriate entry. For example:
username ALL=(ALL) NOPASSWD: /path/to/command

Q: What are the advantages of password-less sudo access?

A: Users can execute privileged commands without the need to enter their password repeatedly, which can be useful for automated tasks or scripts. Password-less sudo access facilitates smoother automation of administrative tasks.

Q: What are the security risks associated with password-less sudo access?

A: 1. Unauthorized Access: If an attacker gains access to the user's account, they could abuse the password-less sudo privilege to execute potentially harmful commands without needing the user's password.
2. Command Hijacking: Malicious software or unauthorized users can modify the allowed commands and exploit the elevated privileges for nefarious purposes.

Q: When should I use password-less sudo access?

A: Password-less sudo access should be used with caution and only in specific, well-defined scenarios. It is best suited for automated tasks or scripts that require elevated privileges and are executed in a controlled and trusted environment.

Q: How can I minimize the risks when using password-less sudo access?

A: 1. Limit Allowed Commands: Specify only the essential commands needed for the task, reducing the potential attack surface.
2. Use Specific Users: Grant password-less sudo access only to specific trusted users, not to all users.
3. Regularly Review Configuration: Periodically review and update the sudoers file to ensure the access remains necessary and secure.

Q: Can password-less sudo access be restricted to certain commands only?

A: Yes, you can grant password-less access for specific commands by providing their full path in the sudoers file entry. It is generally recommended to restrict password-less access to only the commands that are safe and required.

Q: What if I make a mistake in the sudoers file?

A: Any errors in the sudoers file can potentially lock you out of administrative privileges. Always use visudo -c to check for syntax errors before saving the changes to prevent misconfigurations.

Q: Can I use password-less sudo access on a multi-user system?

A: While it is possible, using password-less sudo access on a multi-user system increases the security risk. Carefully evaluate the risks and limit the scope of access as much as possible.

Q: Is it recommended to use password-less sudo access in a production environment?

A: In a production environment, it is generally not recommended to use password-less sudo access due to the potential security risks. Instead, follow the principle of least privilege and prompt for passwords when executing privileged commands.

Q: How can I re-enable the sudo password prompt for specific commands?

A: To revert the password-less sudo access for particular commands, you need to modify the sudoers file:
1. Open the sudoers file using visudo: sudo visudo
2. Locate the lines with NOPASSWD directive that granted password-less access to the commands.
3. Remove the lines containing the specific commands or comment them out by adding a # at the beginning of each line.
4. Save the changes and close the sudoers file.
5. To apply the modifications, you may need to log out and log back in or start a new terminal session.
By removing or commenting out the relevant lines, the specific commands will once again require the user to enter their sudo password when executed with elevated privileges.

Conclusion

This detailed tutorial explained the process of enabling and disabling password-less sudo access for specific commands in Linux. It explains how to grant certain users the ability to run particular commands with administrative privileges without requiring them to enter their sudo password.

It also covered the steps to revert this behavior and re-authenticate sudo for those commands. Additionally, the topic emphasizes the importance of understanding the benefits, risks, and best practices to ensure secure implementation when working with password-less sudo access.

To summarize, the NOPASSWD directive in the /etc/sudoers file allows you to specify a list of commands that can be run without requiring a password. This can be useful for allowing users to run particular commands without sudo password. However, it is important to use this directive with caution, as it can give users too much power if not used properly.

Here are some additional useful tips for using the NOPASSWD directive:

  • Only allow users to run commands that they need to run.
  • Use the NOPASSWD directive sparingly.
  • Monitor your system for any signs of misuse.

By following these tips, you can use the NOPASSWD directive to safely and effectively allow users to run specific commands without sudo password.

You May Also Like

8 comments

Rick Stanley February 17, 2019 - 1:11 am

Seriously???

“Disclaimer: This is for educational-purpose only. You should be very careful while applying this method. This method might be both productive and destructive. Say for example, if you allow users to execute ‘rm’ command without sudo password, they could accidentally or intentionally delete important stuffs. You have been warned!”

Then don’t post such an article in the first place!

Sudo is dangerous enough without making it even more so!

Reply
sk February 17, 2019 - 12:29 pm

There is nothing wrong in this guide, IMO. All you have to do is think twice before giving access to the user to run a command without sudo password.

Reply
Jonathan March 2, 2019 - 8:24 am

which instead of whereis

Reply
J September 29, 2020 - 10:25 pm

As a simple example there are monitoring utilities which need to operate without a sudo password.

Reply
hemza February 22, 2021 - 2:33 pm

thanks for tutorial
i tried the apt command but steal there a problem some files permissions
E:could not open lock file /var/lib/dpkg/lock-frontend – open (13:permission denied )

Reply
pesoh August 28, 2022 - 3:28 am

Excellent article; you save me a lot of time. I didn’t knew it was so simple. Thank you very much.
I was expecting the (un)usefull disclaimer such as the 2019 “seriously???” from Rick Stanley above. No matter the forum, there is always an unsolicitated lesson giver trying to give meaning to his life.
If you have the knowledge to bypass a sudo password then you take your responsibilities. Thanks again.

Reply
Eric M October 6, 2022 - 9:19 am

Thanks!
Got tired of fishing out my Yubikey every time I wanted to up/down my wireguard tunnels. This and a bash_alias makes it simple to do via cli

Reply

Leave a Comment

* By using this form you agree with the storage and handling of your data by this website.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

This website uses cookies to improve your experience. By using this site, we will assume that you're OK with it. Accept Read More