I use a script in my Ubuntu system deployed on AWS. The primary purpose of this script is to check if a specific service is running at regular interval (every one minute to be precise) and start that service automatically if it is stopped for any reason. But the problem is I need sudo privileges to start the service. As you may know already, we should provide password when we run something as sudo user. But I don't want to do that. What I actually want to do is to run the service as sudo without password. If you've ever been in a situation like this, I know a small workaround. Today, I will teach you how to run particular commands without sudo password in Linux and Unix-like operating systems.
Have a look at the following example.
$ sudo mkdir /ostechnix [sudo] password for sk:
As you can see in the above screenshot, I need to provide sudo password when creating a directory named ostechnix in root (/) folder. Whenever we try to execute a command with sudo privileges, we must enter the password. However, in my scenario, I don't want to provide the sudo password. Here is what I did to run a sudo command without password on my Linux box.
Disclaimer: This is for educational-purpose only. You should be very careful while applying this method. This method is both productive and destructive. Say for example, if you allow users to execute 'rm' command without sudo password, they could accidentally or intentionally delete important stuffs. The commands given below are solely for demonstration purpose only. You should not run them in a production system under any circumstances. If you don't understand what you're doing, please do this exercise in a virtual machine and try to learn what is this concept for. You have been warned!
Run particular commands without sudo password in Linux
For any reasons, if you want to allow a user to run a certain command without the sudo password, you need to add that command in sudoers file. Let me show you an example.
I want an user named sk to execute mkdir command without giving the sudo password. Let us see how to do it.
Edit sudoers file:
$ sudo visudo
Add the following line at the end of file.
sk ALL=NOPASSWD:/bin/mkdir
Here, sk is the username. As per the above line, the user sk can run 'mkdir' command from any terminal, without sudo password.
You can add additional commands (for example chmod) with comma-separated values as shown below.
sk ALL=NOPASSWD:/bin/mkdir,/bin/chmod
Save and close the file. Log out (or reboot) your system. Now, log in as normal user 'sk' and try to run those commands with sudo and see what happens.
$ sudo mkdir /dir1
See? Even though I ran 'mkdir' command with sudo privileges, there was no password prompt. From now on, the user sk don't have to enter the sudo password while running 'mkdir' command.
When running all other commands except those commands added in sudoers files, you will be prompted to enter the sudo password.
Let us run another command with sudo.
$ sudo apt update
See? This command prompts me to enter the sudo password.
If you don't want this command to prompt you to ask sudo password, edit sudoers file:
$ sudo visudo
Add the 'apt' command in visudo file like below:
sk ALL=NOPASSWD: /bin/mkdir,/usr/bin/apt
Did you notice that the apt binary executable file path is different from mkdir? Yes, you must provide the correct executable file path.
To find executable file path of any command, for example 'apt', use 'whereis' command like below.
$ whereis apt apt: /usr/bin/apt /usr/lib/apt /etc/apt /usr/share/man/man8/apt.8.gz
As you see, the executable file for apt command is /usr/bin/apt, hence I added the exact path in the sudoers file.
Like I already mentioned, you can add any number of commands with comma-separated values. Save and close your sudoers file once you're done. Log out and log back in to your system.
Now, check if you can be able to run the command without using the sudo password:
$ sudo apt update
See? The apt command didn't prompt me the password even though I ran it with sudo.
Here is yet another example. If you want to run a specific service, for example apache2, add it as shown below.
sk ALL=NOPASSWD:/bin/mkdir,/usr/bin/apt,/bin systemctl restart apache2
Now, the user can run 'sudo systemctl restart apache2' command without sudo password.
Recommended Download - Free Cheat Sheet: "Linux Command Line Cheat Sheet"
Can I re-authenticate to a particular command in the above case? Of course, yes! Just remove the added command. Log out and log in back.
Alternatively, you can add 'PASSWD:' directive in-front of the command. Look at the following example.
Add/modify the following line as shown below.
sk ALL=NOPASSWD:/bin/mkdir,/bin/chmod,PASSWD:/usr/bin/apt
In this case, the user sk can run 'mkdir' and 'chmod' commands without entering the sudo password. However, he must provide sudo password when running 'apt' command.
Conclusion
This guide explained to how to run certain commands without sudo password. As I've warned, allowing users to run specific commands without sudo password can be both productive and destructive. You must be careful while applying this method in a production environment.
Suggested read:
- How To Change User Password In Linux
- How To Grant And Remove Sudo Privileges To Users On Ubuntu
- How To Change Default Sudo Log File In Linux
- How To Restore Sudo Privileges To A User
- How To Find All Sudo Users In Your Linux System
- How to force users to use root password instead of their own password when using sudo
8 comments
Seriously???
“Disclaimer: This is for educational-purpose only. You should be very careful while applying this method. This method might be both productive and destructive. Say for example, if you allow users to execute ‘rm’ command without sudo password, they could accidentally or intentionally delete important stuffs. You have been warned!”
Then don’t post such an article in the first place!
Sudo is dangerous enough without making it even more so!
There is nothing wrong in this guide, IMO. All you have to do is think twice before giving access to the user to run a command without sudo password.
which instead of whereis
As a simple example there are monitoring utilities which need to operate without a sudo password.
thanks for tutorial
i tried the apt command but steal there a problem some files permissions
E:could not open lock file /var/lib/dpkg/lock-frontend – open (13:permission denied )
Check this guide – https://ostechnix.com/how-to-fix-e-could-not-get-lock-var-lib-dpkg-lock-error-on-ubuntu/
Excellent article; you save me a lot of time. I didn’t knew it was so simple. Thank you very much.
I was expecting the (un)usefull disclaimer such as the 2019 “seriously???” from Rick Stanley above. No matter the forum, there is always an unsolicitated lesson giver trying to give meaning to his life.
If you have the knowledge to bypass a sudo password then you take your responsibilities. Thanks again.
Thanks!
Got tired of fishing out my Yubikey every time I wanted to up/down my wireguard tunnels. This and a bash_alias makes it simple to do via cli