In Linux, you can allow specific commands to be executed without entering the sudo password by configuring the sudoers file appropriately. The sudoers file determines which users can run certain commands with administrative privileges (using sudo
) and whether they need to provide a password for those commands. To achieve running particular sudo commands without a password, follow the steps described in this tutorial.
Table of Contents
Introduction
One of my clients uses a script on an Ubuntu system. The main purpose of the script is to check the status of a specific service at regular intervals (precisely every one minute) and automatically restart it if it's not running.
However, starting the service requires sudo privileges, which normally prompts for a password. The client wants to avoid entering the password every time the script runs. He wants to run the service with sudo but without the need for a password. This way, the script can run smoothly without any manual intervention.
If you've ever been in a similar situation, you can configure password-less sudo access to specific commands and run those particular commands without sudo password in Linux and Unix-like operating systems.
If you still don't understand, have a look at the following example.
$ sudo mkdir /ostechnix [sudo] password for sk:
As you can see in the above screenshot, I have to provide sudo password when creating a directory named ostechnix
in root (/
) folder. Whenever we try to execute a command with sudo privileges, we must enter the password. However, I don't want to provide the sudo password every time. This is what we going to solve in the this guide.
Before we delve into the topic of running a sudo command without a password in Linux, it's important to first discuss the benefits of setting up password-less sudo authentication for sudo commands and the security risks associated with it.
Advantages of Configuring Password-less Sudo Access
Allowing specific commands to be executed without entering the sudo password can be a matter of convenience and automation for certain use cases. However, it comes with potential security risks and should be done judiciously. Here are some reasons why someone might choose to configure sudo to skip password prompts for certain commands:
- Script Automation: In some cases, users may have scripts or automated processes that need to run certain commands with administrative privileges. By allowing these specific commands without a password, the automation process becomes smoother and doesn't require manual intervention.
- Frequent Administrative Tasks: For power users or system administrators who frequently perform specific administrative tasks that require sudo, bypassing the password prompt for these well-known, safe commands can save time and reduce frustration.
- Single-User Systems: On single-user systems where the user is the sole administrator, some users prefer to avoid entering their password repeatedly for administrative tasks. However, it's essential to recognize that even on single-user systems, malware or unauthorized users could still potentially abuse this configuration if they gain access to the user's account.
- Limited Privileges: In certain scenarios, you might want to give a user limited administrative privileges for specific commands without granting full unrestricted sudo access. This can be useful to delegate specific tasks to different users.
Security Concerns
While these reasons might be valid in specific circumstances, there are some notable security concerns:
- Security Risk: Allowing passwordless execution of privileged commands can lead to security vulnerabilities. If an attacker gains access to the user's account, they could execute these commands with administrative privileges without needing to know the account's password.
- Misconfiguration: Incorrectly setting up passwordless sudo access can create security holes or even lock you out of your system if you make a mistake in the sudoers file.
- Command Hijacking: If an attacker can modify a script or binary that the user can execute with sudo, they effectively gain root access without a password prompt.
- Account Compromise: On multi-user systems, if one user's account is compromised, the attacker can abuse passwordless sudo to escalate privileges.
Due to these security risks, it's essential to carefully consider whether the convenience outweighs the potential dangers. If you decide to enable passwordless sudo for specific commands, ensure you limit the commands to only those necessary and maintain a secure system configuration. Always practice the principle of least privilege and regularly review the sudoers file to avoid unnecessary exposure.
Disclaimer: This information is intended solely for educational purposes and requires extreme caution when implementing. The method can be both beneficial and harmful. For instance, if users are granted permission to execute the 'rm
' command without a sudo password, they may inadvertently or deliberately delete important files. The commands provided below are purely for demonstration purposes, and it is crucial not to execute them on a production system under any circumstances. If you are unsure about the implications or consequences, it is highly advised to carry out this exercise in a virtual machine and use it as an opportunity to understand the underlying concept. You have been warned.
Run Particular Sudo Commands without Sudo Password
To run particular commands without sudo password in Linux, you can use the NOPASSWD
directive in the /etc/sudoers
file. This directive allows you to specify a list of commands that can be run without requiring a password.
For example, to allow the user user1 to run specific commands without a password, you would add the following line to the /etc/sudoers
file:
user1 ALL=(root) NOPASSWD: /path/to/command1, /path/tocommand2
Here are some additional things to keep in mind:
- The
NOPASSWD
directive only applies to the specific commands that you list. If you try to run a command that is not listed, you will still be prompted for a password. - The
NOPASSWD
directive can be used to allow users to run commands as root. This should only be done if you are confident that the users will not misuse this privilege.
Let us see an example.
I wish to allow the user named "sk" to execute the "mkdir
" command without needing to enter the sudo password.
As I already said, In order to allow a user to run a certain command without the sudo password, you need to add that particular command in the sudoers
file.
Edit sudoers file using:
$ sudo visudo
Add the following line at the end of file.
sk ALL=NOPASSWD:/bin/mkdir
Here, sk is the username. As per the above line, the user sk can run 'mkdir'
command from any terminal, without sudo password. Replace the username and the command path with our own.
You can add additional commands (for example usermod
) with comma-separated values as shown below.
sk ALL=NOPASSWD:/bin/mkdir,/bin/usermod
Save and close the file.
To ensure there are no syntax errors in the sudoers file, run the following command:
$ sudo visudo -c
If everything is fine, it should display a message like "sudoers file parsed OK".
/etc/sudoers: parsed OK /etc/sudoers.d/README: parsed OK /etc/sudoers.d/zfs: parsed OK
Log out (or reboot) your system. Now, log in as normal user 'sk' and try to run those commands with sudo and see what happens.
$ sudo mkdir /dir1
See? Even though I ran 'mkdir'
command with sudo privileges, there was no password prompt. From now on, the user sk don't have to enter the sudo password while running 'mkdir'
command.
When running all other commands except those commands added in sudoers files, you will be prompted to enter the sudo password.
Let us verify it by running another command with sudo.
$ sudo apt update
See? This command prompts me to enter the sudo password.
If you don't want to be prompted the sudo password when running the apt
command, edit sudoers file:
$ sudo visudo
Add the 'apt'
command in visudo file like below:
sk ALL=NOPASSWD: /bin/mkdir,/usr/bin/apt
Did you notice that the apt binary executable file path is different from mkdir? Yes, you must provide the correct executable file path.
To find executable file path of any command, for example 'apt'
, you can use either 'which
' or 'whereis
' commands.
$ which apt /usr/bin/apt
$ whereis apt apt: /usr/bin/apt /usr/lib/apt /etc/apt /usr/share/man/man8/apt.8.gz
As you can see, the executable file for apt command is /usr/bin/apt
, hence I added the exact path in the sudoers file.
Like I already mentioned, you can add any number of commands with comma-separated values. Save and close your sudoers file once you're done. Log out and log back in to your system.
Now, check if you can be able to run the command without using the sudo password:
$ sudo apt update
See? The apt
command didn't prompt me the sudo password even though I executed it with sudo.
Here is yet another example. If you want to run a specific service, for example apache2, add the following line in the sudoers file.
sk ALL=NOPASSWD:/bin/mkdir,/usr/bin/apt,/bin systemctl restart apache2
Replace the username with your own. Now, the user can run 'sudo systemctl restart apache2'
command without sudo password.
Execute Certain Sudo Commands with or without Entering Sudo Password
In the sudoers file, you can use both the PASSWD
and NOPASSWD
directives to allow a specific user to execute certain commands with or without entering a password.
To achieve this, you need to create separate entries for each command with different settings. Here's an example of how to do it:
Let's assume you want to allow the user "user2" to run two commands (command1
and command2
) with a password prompt and one command (command3
) without a password prompt.
Open the sudoers file in edit mode using visudo
:
$ sudo visudo
Add the following lines to the sudoers file:
# Command1 and Command2 require password prompt user2 ALL=(ALL) PASSWD: /path/to/command1 user2 ALL=(ALL) PASSWD: /path/to/command2 # Command3 does not require password prompt user2 ALL=(ALL) NOPASSWD: /path/to/command3
Replace /path/to/command1
, /path/to/command2
, and /path/to/command3
with the actual paths to the respective commands you want to allow. Also replace the usernames with your own.
Save and close the sudoers file.
With these entries in the sudoers file, the user "user2" will be prompted to enter their password when executing command1
or command2
, but they won't be asked for a password when running command3
.
You can also use both the PASSWD
and NOPASSWD
directives in a single line of the sudoers file. This is achieved by specifying the settings for different commands within the same line. However, it's essential to be careful with the syntax to ensure it is correct.
Here's an example of how you can use both directives in a single line:
user2 ALL=(ALL) PASSWD: /path/to/command1, PASSWD: /path/to/command2, NOPASSWD: /path/to/command3
In this example:
command1
andcommand2
will require the user "user2" to enter their password when executing them.command3
will not prompt for a password when executed by "user2."
Again, when editing the sudoers file, use visudo
to prevent syntax errors and avoid compromising your system's security. Always double-check the configuration, and use this approach judiciously for commands that truly require these specific settings.
Look at the following example.
Add/modify the following line in the sudoers file.
sk ALL=NOPASSWD:/bin/mkdir,/bin/usermod, PASSWD:/usr/bin/apt
In this case, the user sk can run 'mkdir'
and 'usermod'
commands without entering the sudo password. However, he must provide sudo password when running 'apt'
command.
Disable Password-less Sudo Access
To re-enable the sudo password prompt for specific commands, you need to remove or comment out the corresponding lines in the sudoers file. This will restore the default behavior, prompting the user for their password when executing the specified commands with sudo. Here's how you can do it:
1. Open the sudoers file in edit mode using visudo
:
$ sudo visudo
2. Locate the lines that grant password-less sudo access to the specific commands. These lines should have the NOPASSWD
directive.
3. To remove the password-less access, simply delete the lines containing the specific commands. Alternatively, you can comment out the lines by placing a #
at the beginning of each line.
For example, if the previous configuration looked like this:
username ALL=(ALL) NOPASSWD: /path/to/command1 username ALL=(ALL) NOPASSWD: /path/to/command2
You can either remove these lines entirely or comment them out like this:
# username ALL=(ALL) NOPASSWD: /path/to/command1 # username ALL=(ALL) NOPASSWD: /path/to/command2
Save the changes and close the sudoers file.
4. To apply the modifications, you may need to log out and log back in or start a new terminal session.
After performing these steps, the specific commands will once again require the user to enter their sudo password to execute them with elevated privileges.
Frequently Asked Questions
Here's a few FAQs about Password-less Sudo Access in Linux.
A: Password-less sudo access allows certain users to execute specific commands with administrative privileges (using sudo) without being prompted to enter their password.
A: To enable password-less sudo access for a user, you need to edit the sudoers file using the visudo
command and add an appropriate entry. For example:username ALL=(ALL) NOPASSWD: /path/to/command
A: Users can execute privileged commands without the need to enter their password repeatedly, which can be useful for automated tasks or scripts. Password-less sudo access facilitates smoother automation of administrative tasks.
A: 1. Unauthorized Access: If an attacker gains access to the user's account, they could abuse the password-less sudo privilege to execute potentially harmful commands without needing the user's password.
2. Command Hijacking: Malicious software or unauthorized users can modify the allowed commands and exploit the elevated privileges for nefarious purposes.
A: Password-less sudo access should be used with caution and only in specific, well-defined scenarios. It is best suited for automated tasks or scripts that require elevated privileges and are executed in a controlled and trusted environment.
A: 1. Limit Allowed Commands: Specify only the essential commands needed for the task, reducing the potential attack surface.
2. Use Specific Users: Grant password-less sudo access only to specific trusted users, not to all users.
3. Regularly Review Configuration: Periodically review and update the sudoers file to ensure the access remains necessary and secure.
A: Yes, you can grant password-less access for specific commands by providing their full path in the sudoers file entry. It is generally recommended to restrict password-less access to only the commands that are safe and required.
A: Any errors in the sudoers file can potentially lock you out of administrative privileges. Always use visudo -c
to check for syntax errors before saving the changes to prevent misconfigurations.
A: While it is possible, using password-less sudo access on a multi-user system increases the security risk. Carefully evaluate the risks and limit the scope of access as much as possible.
A: In a production environment, it is generally not recommended to use password-less sudo access due to the potential security risks. Instead, follow the principle of least privilege and prompt for passwords when executing privileged commands.
A: To revert the password-less sudo access for particular commands, you need to modify the sudoers file:
1. Open the sudoers file using visudo
: sudo visudo
2. Locate the lines with NOPASSWD
directive that granted password-less access to the commands.
3. Remove the lines containing the specific commands or comment them out by adding a #
at the beginning of each line.
4. Save the changes and close the sudoers file.
5. To apply the modifications, you may need to log out and log back in or start a new terminal session.
By removing or commenting out the relevant lines, the specific commands will once again require the user to enter their sudo password when executed with elevated privileges.
Conclusion
This detailed tutorial explained the process of enabling and disabling password-less sudo access for specific commands in Linux. It explains how to grant certain users the ability to run particular commands with administrative privileges without requiring them to enter their sudo password.
It also covered the steps to revert this behavior and re-authenticate sudo for those commands. Additionally, the topic emphasizes the importance of understanding the benefits, risks, and best practices to ensure secure implementation when working with password-less sudo access.
To summarize, the NOPASSWD
directive in the /etc/sudoers
file allows you to specify a list of commands that can be run without requiring a password. This can be useful for allowing users to run particular commands without sudo password. However, it is important to use this directive with caution, as it can give users too much power if not used properly.
Here are some additional useful tips for using the NOPASSWD
directive:
- Only allow users to run commands that they need to run.
- Use the
NOPASSWD
directive sparingly. - Monitor your system for any signs of misuse.
By following these tips, you can use the NOPASSWD
directive to safely and effectively allow users to run specific commands without sudo password.
Suggested Read:
- How To Restrict Sudo Users To Run Specific Authorized Commands In Linux
- How To Grant And Remove Sudo Privileges To Users On Ubuntu
- How To Allow Or Deny Sudo Access To A Group In Linux
- How To Restrict Su Command To Authorized Users In Linux
- Run Commands As Another User Via Sudo In Linux
- How To Prevent Command Arguments With Sudo In Linux
- How To Run All Programs In A Directory Via Sudo In Linux
- How To Change Default Sudo Log File In Linux
- How To Change User Password In Linux
- How To Restore Sudo Privileges To A User
- How To Find All Sudo Users In Your Linux System
- How to force users to use root password instead of their own password when using sudo
8 comments
Seriously???
“Disclaimer: This is for educational-purpose only. You should be very careful while applying this method. This method might be both productive and destructive. Say for example, if you allow users to execute ‘rm’ command without sudo password, they could accidentally or intentionally delete important stuffs. You have been warned!”
Then don’t post such an article in the first place!
Sudo is dangerous enough without making it even more so!
There is nothing wrong in this guide, IMO. All you have to do is think twice before giving access to the user to run a command without sudo password.
which instead of whereis
As a simple example there are monitoring utilities which need to operate without a sudo password.
thanks for tutorial
i tried the apt command but steal there a problem some files permissions
E:could not open lock file /var/lib/dpkg/lock-frontend – open (13:permission denied )
Check this guide – https://ostechnix.com/how-to-fix-e-could-not-get-lock-var-lib-dpkg-lock-error-on-ubuntu/
Excellent article; you save me a lot of time. I didn’t knew it was so simple. Thank you very much.
I was expecting the (un)usefull disclaimer such as the 2019 “seriously???” from Rick Stanley above. No matter the forum, there is always an unsolicitated lesson giver trying to give meaning to his life.
If you have the knowledge to bypass a sudo password then you take your responsibilities. Thanks again.
Thanks!
Got tired of fishing out my Yubikey every time I wanted to up/down my wireguard tunnels. This and a bash_alias makes it simple to do via cli