How do I run specific sudo commands without a password?

  • On one particular machine I often need to run sudo commands every now and then. I am fine with entering password on sudo in most of the cases.

    However there are three sudo commands I want to run without entering password:

    • sudo reboot
    • sudo shutdown -r now
    • sudo shutdown -P now

    How can I exclude these commands from password protection to sudo?

  • mgd

    mgd Correct answer

    8 years ago

    Use the NOPASSWD directive

    You can use the NOPASSWD directive in your /etc/sudoers file.

    If your user is called user and your host is called host you could add these lines to /etc/sudoers:

    user host = (root) NOPASSWD: /sbin/shutdown
    user host = (root) NOPASSWD: /sbin/reboot
    

    This will allow the user user to run the desired commands on host without entering a password. All other sudoed commands will still require a password.

    The commands specified in the sudoers file must be fully qualified (i.e. using the absolute path to the command to run) as described in the sudoers man page. Providing a relative path is considered a syntax error.

    If the command ends with a trailing / character and points to a directory, the user will be able to run any command in that directory (but not in any sub-directories therein). In the following example, the user user can run any command in the directory /home/someuser/bin/:

    user host = (root) NOPASSWD: /home/someuser/bin/
    

    Note: Always use the command visudo to edit the sudoers file to make sure you do not lock yourself out of the system – just in case you accidentally write something incorrect to the sudoers file. visudo will save your modified file to a temporary location and will only overwrite the real sudoers file if the modified file can be parsed without errors.

    Using /etc/sudoers.d instead of modifying /etc/sudoers

    As an alternative to editing the /etc/sudoers file, you could add the two lines to a new file in /etc/sudoers.d e.g. /etc/sudoers.d/shutdown. This is an elegant way of separating different changes to the sudo rights and also leaves the original sudoers file untouched for easier upgrades.

    Note: Again, you should use the command visudo to edit the file to make sure you do not lock yourself out of the system:

    sudo visudo -f /etc/sudoers.d/shutdown 
    

    This also automatically ensures that the owner and permissions of the new file is set correctly.

    If sudoers is messed up

    If you did not use visudo to edit your files and then accidentally messed up /etc/sudoers or messed up a file in /etc/sudoers.d then you will be locked out of sudo.

    The solution could be to fix the files using pkexec which is an alternative to sudo.

    To fix /etc/sudoers:

    pkexec visudo
    

    To fix /etc/sudoers.d/shutdown:

    pkexec visudo -f /etc/sudoers.d/shutdown
    

    If the ownership and/or permissions are incorrect for any sudoers file, the file will be ignored by sudo so you might also find yourself locked out in this situation. Again, you can use pkexec to fix this.

    The correct permissions should be like this:

    $ ls -l /etc/sudoers.d/shutdown 
    -r--r----- 1 root root 86 Jul 16 15:37 /etc/sudoers.d/shutdown
    

    Use pkexec like this to fix ownership and permissions:

    pkexec chown root:root /etc/sudoers.d/shutdown
    pkexec chmod 0440 /etc/sudoers.d/shutdown
    

    i hope this will only apply to these 2 commands, and I won't be messing up with the rest of the system or any other command?

    The two lines refer specifically to these two commands. If `user` is not in other ways given `sudo` rights no other commands can be sudoed by this user. Have a look at `man sudo` and `man sudoers`.

    Initially I faced a chmod problem.. added a workout to this in the answer.. thanx @mgd

    Thx! I think the information about what the proper ownership and permissions are was useful though--you may want to keep that in the answer as well. (You could even mention how to fix it with `pkexec` if it's been messed up, if you want.)

    I'm on mac os x yosemite, sudo version 1.7.10p7 and I couldn't get any lines with `host = (root)` to work. Here's the line that eventually worked for me to add permission for admin group to run the /usr/sbin/discoveryutil command without a password: `%admin ALL=NOPASSWD: /usr/sbin/discoveryutil`

    @StanKurdziel I tried with this line on Mac OS X Yosemite and it worked fine: `mgd ALL=(root) NOPASSWD: /var/root/test`. I am user `mgd` and `ALL` means _"from all hosts"_. `/var/root/test` is a simple "Hello World" shell script with permissions: `-rwx------ 1 root wheel 27 12 Jun 09:54 /var/root/test`. I made _no_ other changes to the system.

    This does not work. user1 ALL=(root) NOPASSWD: "/Applications/MAMP\ PRO/MAMP\ PRO.app/Contents/MacOS/MAMP\ PRO". what could be wrong?

    @BTRNaidu Several things could be wrong. One thing is that you quote the command string and _also_ escape the spaces. You should _either_ remove the quotes around the command _or_ remove the \ characters in the command (that escapes the spaces).

    What is `host` in the sudoers file?

    @user106563 the host field is used if you deploy sudoers files across multiple hosts. Then you can control which lines applies to which machines/hosts.

    Have tried it for the last hours, without success. I'm working on Lubuntu 16.04, first of all edited `sudoers` with `leafpad`, but kept everything as it was by undoing everything when I realized it has to be `visudo` instead. Have added the line `nightcoder casa1 = (root) NOPASSWD: /usr/sbin/pm-suspend` in every place, but the system keeps saying: `This utility may only be run by the root user.` when I run `pm-suspend` from the prompt.

    @nightcod3r you still have to prefix your command with `sudo`. Otherwise, it does not run as root. I.e., `sudo pm-suspend`.

    BEWARE: This sounded as - and perharps is - good advice. I removed the comment on /etc/sudoers so to enable the use of the /etc/sudoers.d... I created an empty file in /etc/sudoers.d and I'm now apparently locked out of sudo... I'll try to figure something out... (BTW, I'm on Windows10 Linux Subsystem [Ubuntu bash])

    @arod did you take a look at the section "If sudoers is messed up" in my answer?

    @mgd yes, I forgot to post it in the comment: pkexec gives me an error `$ pkexec visudo prctl(PR_SET_PDEATHSIG, SIGTERM) failed: Invalid argument`

    @arod check the last lines of my answer. Maybe the permissions of the new empty file is wrong and you can use pkexec to fix them.

    For those that might have had my problem and luckily are using Windows10 Linux Subsystem, you can edit you files from Windows, going to the folder `C:\Users\{USERNAME}\AppData\Local\lxss\rootfs`. There I could edit my `/etc/sudoers` file (In my case I put again the `#` on the line `includedir /etc/sudoers.d`). @mgd

    WARNING regarding my last comment: since Windows does not manage permissions on files I'm thinking that when I saved sudoers and restarted my bash the sudoers file didn't have the correct permissions and so does not work... this should be fixed if you change the permissions of the file before restarting you bash subshell. In my case, I had to reinstall Bash Subsystem...

    Can I request that the example be updated to include command field separators and examples of commands that have spaces in them?

    @user447607 Sorry, but this answer is specifically about running a command using sudo without having to enter a password. It is _not_ covering every aspect of sudo. Please check the man page for sudo or ask a new question.

    It's not an answer, it's almost full guide about NOPASSWD directive. Thank you.

    Is there some way to restrict the command line options passed to the command? I see you have only specified shutdown, and not the arguments it takes. I need to be able to switch to a non-privileged user in a script (using `sudo su -p `) and obviously not being able to restrict the arguments taken would effectively eliminate the point of restricting it at all!

    @Michael please read the man page. It is all written there. To quote it: However, you may also specify command line arguments (including wildcards). Alternately, you can specify "" to indicate that the command may only be run without command line arguments.

    Try it and failed on centos, maybe try to enhance the help.

    Put these at the END of the `sudoers` file, or else it might not work because `man sudo`.

  • Sorry but there's so much confusion over this and some really complicated answers, that i feel i must weigh in here before someone misunderstands and does something crazy.

    Using visudo!!

    Add the following lines to the config:

    ALL ALL=NOPASSWD: /sbin/reboot,/sbin/shutdown
    

    This allows the commands, reboot and shutdown with any parameters to be executed from any user.

    Please stackexchange, just give simple succinct answers.

    There is *one* other answer. Comparing this answer with the other: the other answer explained how to set for one user on one host; the generalization to multiple users and multiple hosts is obvious. Your answer gives a magic incantation (which actually applies to all users or all hosts, but that is entirely inobvious). The other difference is that your answer gives two commands on a single line. I didn't know you could do that - it's mildly useful, but given the complexity of sudoers I doubt I will ever use it.

License under CC-BY-SA with attribution


Content dated before 6/26/2020 9:53 AM