In Linux, you can allow specific commands to be executed without entering the sudo password by configuring the sudoers file appropriately. The sudoers file determines which users can run certain commands with administrative privileges (using
sudo) and whether they need to provide a password for those commands. To achieve running particular sudo commands without a password, follow the steps described in this tutorial.
One of my clients uses a script on an Ubuntu system. The main purpose of the script is to check the status of a specific service at regular intervals (precisely every one minute) and automatically restart it if it's not running.
However, starting the service requires sudo privileges, which normally prompts for a password. The client wants to avoid entering the password every time the script runs. He wants to run the service with sudo but without the need for a password. This way, the script can run smoothly without any manual intervention.
If you've ever been in a similar situation, you can configure password-less sudo access to specific commands and run those particular commands without sudo password in Linux and Unix-like operating systems.
If you still don't understand, have a look at the following example.
$ sudo mkdir /ostechnix [sudo] password for sk:
As you can see in the above screenshot, I have to provide sudo password when creating a directory named
ostechnix in root (
/) folder. Whenever we try to execute a command with sudo privileges, we must enter the password. However, I don't want to provide the sudo password every time. This is what we going to solve in the this guide.
Before we delve into the topic of running a sudo command without a password in Linux, it's important to first discuss the benefits of setting up password-less sudo authentication for sudo commands and the security risks associated with it.
Advantages of Configuring Password-less Sudo Access
Allowing specific commands to be executed without entering the sudo password can be a matter of convenience and automation for certain use cases. However, it comes with potential security risks and should be done judiciously. Here are some reasons why someone might choose to configure sudo to skip password prompts for certain commands:
- Script Automation: In some cases, users may have scripts or automated processes that need to run certain commands with administrative privileges. By allowing these specific commands without a password, the automation process becomes smoother and doesn't require manual intervention.
- Frequent Administrative Tasks: For power users or system administrators who frequently perform specific administrative tasks that require sudo, bypassing the password prompt for these well-known, safe commands can save time and reduce frustration.
- Single-User Systems: On single-user systems where the user is the sole administrator, some users prefer to avoid entering their password repeatedly for administrative tasks. However, it's essential to recognize that even on single-user systems, malware or unauthorized users could still potentially abuse this configuration if they gain access to the user's account.
- Limited Privileges: In certain scenarios, you might want to give a user limited administrative privileges for specific commands without granting full unrestricted sudo access. This can be useful to delegate specific tasks to different users.
While these reasons might be valid in specific circumstances, there are some notable security concerns:
- Security Risk: Allowing passwordless execution of privileged commands can lead to security vulnerabilities. If an attacker gains access to the user's account, they could execute these commands with administrative privileges without needing to know the account's password.
- Misconfiguration: Incorrectly setting up passwordless sudo access can create security holes or even lock you out of your system if you make a mistake in the sudoers file.
- Command Hijacking: If an attacker can modify a script or binary that the user can execute with sudo, they effectively gain root access without a password prompt.
- Account Compromise: On multi-user systems, if one user's account is compromised, the attacker can abuse passwordless sudo to escalate privileges.
Due to these security risks, it's essential to carefully consider whether the convenience outweighs the potential dangers. If you decide to enable passwordless sudo for specific commands, ensure you limit the commands to only those necessary and maintain a secure system configuration. Always practice the principle of least privilege and regularly review the sudoers file to avoid unnecessary exposure.
Disclaimer: This information is intended solely for educational purposes and requires extreme caution when implementing. The method can be both beneficial and harmful. For instance, if users are granted permission to execute the '
rm' command without a sudo password, they may inadvertently or deliberately delete important files. The commands provided below are purely for demonstration purposes, and it is crucial not to execute them on a production system under any circumstances. If you are unsure about the implications or consequences, it is highly advised to carry out this exercise in a virtual machine and use it as an opportunity to understand the underlying concept. You have been warned.
Run Particular Sudo Commands without Sudo Password
To run particular commands without sudo password in Linux, you can use the
NOPASSWD directive in the
/etc/sudoers file. This directive allows you to specify a list of commands that can be run without requiring a password.
For example, to allow the user user1 to run specific commands without a password, you would add the following line to the
user1 ALL=(root) NOPASSWD: /path/to/command1, /path/tocommand2
Here are some additional things to keep in mind:
NOPASSWDdirective only applies to the specific commands that you list. If you try to run a command that is not listed, you will still be prompted for a password.
NOPASSWDdirective can be used to allow users to run commands as root. This should only be done if you are confident that the users will not misuse this privilege.
Let us see an example.
I wish to allow the user named "sk" to execute the "
mkdir" command without needing to enter the sudo password.
As I already said, In order to allow a user to run a certain command without the sudo password, you need to add that particular command in the
Edit sudoers file using:
$ sudo visudo
Add the following line at the end of file.
Here, sk is the username. As per the above line, the user sk can run
'mkdir' command from any terminal, without sudo password. Replace the username and the command path with our own.
You can add additional commands (for example
usermod) with comma-separated values as shown below.
Save and close the file.
To ensure there are no syntax errors in the sudoers file, run the following command:
$ sudo visudo -c
If everything is fine, it should display a message like "sudoers file parsed OK".
/etc/sudoers: parsed OK /etc/sudoers.d/README: parsed OK /etc/sudoers.d/zfs: parsed OK
Log out (or reboot) your system. Now, log in as normal user 'sk' and try to run those commands with sudo and see what happens.
$ sudo mkdir /dir1
See? Even though I ran
'mkdir' command with sudo privileges, there was no password prompt. From now on, the user sk don't have to enter the sudo password while running
When running all other commands except those commands added in sudoers files, you will be prompted to enter the sudo password.
Let us verify it by running another command with sudo.
$ sudo apt update
See? This command prompts me to enter the sudo password.
If you don't want to be prompted the sudo password when running the
apt command, edit sudoers file:
$ sudo visudo
'apt' command in visudo file like below:
sk ALL=NOPASSWD: /bin/mkdir,/usr/bin/apt
Did you notice that the apt binary executable file path is different from mkdir? Yes, you must provide the correct executable file path.
To find executable file path of any command, for example
'apt', you can use either '
which' or '
$ which apt /usr/bin/apt
$ whereis apt apt: /usr/bin/apt /usr/lib/apt /etc/apt /usr/share/man/man8/apt.8.gz
As you can see, the executable file for apt command is
/usr/bin/apt, hence I added the exact path in the sudoers file.
Like I already mentioned, you can add any number of commands with comma-separated values. Save and close your sudoers file once you're done. Log out and log back in to your system.
Now, check if you can be able to run the command without using the sudo password:
$ sudo apt update
apt command didn't prompt me the sudo password even though I executed it with sudo.
Here is yet another example. If you want to run a specific service, for example apache2, add the following line in the sudoers file.
sk ALL=NOPASSWD:/bin/mkdir,/usr/bin/apt,/bin systemctl restart apache2
Replace the username with your own. Now, the user can run
'sudo systemctl restart apache2' command without sudo password.
Execute Certain Sudo Commands with or without Entering Sudo Password
In the sudoers file, you can use both the
NOPASSWD directives to allow a specific user to execute certain commands with or without entering a password.
To achieve this, you need to create separate entries for each command with different settings. Here's an example of how to do it:
Let's assume you want to allow the user "user2" to run two commands (
command2) with a password prompt and one command (
command3) without a password prompt.
Open the sudoers file in edit mode using
$ sudo visudo
Add the following lines to the sudoers file:
# Command1 and Command2 require password prompt user2 ALL=(ALL) PASSWD: /path/to/command1 user2 ALL=(ALL) PASSWD: /path/to/command2 # Command3 does not require password prompt user2 ALL=(ALL) NOPASSWD: /path/to/command3
/path/to/command3 with the actual paths to the respective commands you want to allow. Also replace the usernames with your own.
Save and close the sudoers file.
With these entries in the sudoers file, the user "user2" will be prompted to enter their password when executing
command2, but they won't be asked for a password when running
You can also use both the
NOPASSWD directives in a single line of the sudoers file. This is achieved by specifying the settings for different commands within the same line. However, it's essential to be careful with the syntax to ensure it is correct.
Here's an example of how you can use both directives in a single line:
user2 ALL=(ALL) PASSWD: /path/to/command1, PASSWD: /path/to/command2, NOPASSWD: /path/to/command3
In this example:
command2will require the user "user2" to enter their password when executing them.
command3will not prompt for a password when executed by "user2."
Again, when editing the sudoers file, use
visudo to prevent syntax errors and avoid compromising your system's security. Always double-check the configuration, and use this approach judiciously for commands that truly require these specific settings.
Look at the following example.
Add/modify the following line in the sudoers file.
sk ALL=NOPASSWD:/bin/mkdir,/bin/usermod, PASSWD:/usr/bin/apt
In this case, the user sk can run
'usermod' commands without entering the sudo password. However, he must provide sudo password when running
Disable Password-less Sudo Access
To re-enable the sudo password prompt for specific commands, you need to remove or comment out the corresponding lines in the sudoers file. This will restore the default behavior, prompting the user for their password when executing the specified commands with sudo. Here's how you can do it:
1. Open the sudoers file in edit mode using
$ sudo visudo
2. Locate the lines that grant password-less sudo access to the specific commands. These lines should have the
3. To remove the password-less access, simply delete the lines containing the specific commands. Alternatively, you can comment out the lines by placing a
# at the beginning of each line.
For example, if the previous configuration looked like this:
username ALL=(ALL) NOPASSWD: /path/to/command1 username ALL=(ALL) NOPASSWD: /path/to/command2
You can either remove these lines entirely or comment them out like this:
# username ALL=(ALL) NOPASSWD: /path/to/command1 # username ALL=(ALL) NOPASSWD: /path/to/command2
Save the changes and close the sudoers file.
4. To apply the modifications, you may need to log out and log back in or start a new terminal session.
After performing these steps, the specific commands will once again require the user to enter their sudo password to execute them with elevated privileges.
Frequently Asked Questions
Here's a few FAQs about Password-less Sudo Access in Linux.
A: Password-less sudo access allows certain users to execute specific commands with administrative privileges (using sudo) without being prompted to enter their password.
A: To enable password-less sudo access for a user, you need to edit the sudoers file using the
visudo command and add an appropriate entry. For example:
username ALL=(ALL) NOPASSWD: /path/to/command
A: Users can execute privileged commands without the need to enter their password repeatedly, which can be useful for automated tasks or scripts. Password-less sudo access facilitates smoother automation of administrative tasks.
A: 1. Unauthorized Access: If an attacker gains access to the user's account, they could abuse the password-less sudo privilege to execute potentially harmful commands without needing the user's password.
2. Command Hijacking: Malicious software or unauthorized users can modify the allowed commands and exploit the elevated privileges for nefarious purposes.
A: Password-less sudo access should be used with caution and only in specific, well-defined scenarios. It is best suited for automated tasks or scripts that require elevated privileges and are executed in a controlled and trusted environment.
A: 1. Limit Allowed Commands: Specify only the essential commands needed for the task, reducing the potential attack surface.
2. Use Specific Users: Grant password-less sudo access only to specific trusted users, not to all users.
3. Regularly Review Configuration: Periodically review and update the sudoers file to ensure the access remains necessary and secure.
A: Yes, you can grant password-less access for specific commands by providing their full path in the sudoers file entry. It is generally recommended to restrict password-less access to only the commands that are safe and required.
A: Any errors in the sudoers file can potentially lock you out of administrative privileges. Always use
visudo -c to check for syntax errors before saving the changes to prevent misconfigurations.
A: While it is possible, using password-less sudo access on a multi-user system increases the security risk. Carefully evaluate the risks and limit the scope of access as much as possible.
A: In a production environment, it is generally not recommended to use password-less sudo access due to the potential security risks. Instead, follow the principle of least privilege and prompt for passwords when executing privileged commands.
A: To revert the password-less sudo access for particular commands, you need to modify the sudoers file:
1. Open the sudoers file using
2. Locate the lines with
NOPASSWD directive that granted password-less access to the commands.
3. Remove the lines containing the specific commands or comment them out by adding a
# at the beginning of each line.
4. Save the changes and close the sudoers file.
5. To apply the modifications, you may need to log out and log back in or start a new terminal session.
By removing or commenting out the relevant lines, the specific commands will once again require the user to enter their sudo password when executed with elevated privileges.
This detailed tutorial explained the process of enabling and disabling password-less sudo access for specific commands in Linux. It explains how to grant certain users the ability to run particular commands with administrative privileges without requiring them to enter their sudo password.
It also covered the steps to revert this behavior and re-authenticate sudo for those commands. Additionally, the topic emphasizes the importance of understanding the benefits, risks, and best practices to ensure secure implementation when working with password-less sudo access.
To summarize, the
NOPASSWD directive in the
/etc/sudoers file allows you to specify a list of commands that can be run without requiring a password. This can be useful for allowing users to run particular commands without sudo password. However, it is important to use this directive with caution, as it can give users too much power if not used properly.
Here are some additional useful tips for using the
- Only allow users to run commands that they need to run.
- Use the
- Monitor your system for any signs of misuse.
By following these tips, you can use the
NOPASSWD directive to safely and effectively allow users to run specific commands without sudo password.
- How To Restrict Sudo Users To Run Specific Authorized Commands In Linux
- How To Grant And Remove Sudo Privileges To Users On Ubuntu
- How To Allow Or Deny Sudo Access To A Group In Linux
- How To Restrict Su Command To Authorized Users In Linux
- Run Commands As Another User Via Sudo In Linux
- How To Prevent Command Arguments With Sudo In Linux
- How To Run All Programs In A Directory Via Sudo In Linux
- How To Change Default Sudo Log File In Linux
- How To Change User Password In Linux
- How To Restore Sudo Privileges To A User
- How To Find All Sudo Users In Your Linux System
- How to force users to use root password instead of their own password when using sudo