Sometimes system administrators or frequent users on Ubuntu do not want to enter a password when they run some specific commands using sudo.In this article you will learn how to use sudo on commands without having to provide a password.
An ubuntu user does not want to provide a password when he runs the following commands for instance :
- sudo reboot
- sudo shutdown -r now
How should he proceed ?
The user would need to use the NOPASSWD directive in his /etc/sudoers file.
If your current user is named ‘user’ and your host ‘host’, you would need to insert the following lines to the file /etc/sudoers:
user host = (root) NOPASSWD: /sbin/shutdown
user host = (root) NOPASSWD: /sbin/reboot
Once this is done, the user ‘user’ will be able run these commands on ‘host’ without a password. The other commands however will still require a password though.
The commands mentioned in the /etc/sudoers file would need to be qualified in full, which means that their absolute path has to be specified correctly as dictated in the sudoers help or man page . A relative path is therefore not accepted and will be considered a syntax error.
In order to run any command in a given directory, the command would need to end with a trailing character (/) and should point to that specific directory. Note that the sub directories are not included in this case.
In the example below, the user is able to run any command in the directory /home/userfolder/bin/:
user host = (root) NOPASSWD: /home/userfolder/bin/
Note: to not lock yourself out of the system, it is good practice to use the command visudo for editing the sudoers file – This is just a precautionary measure in case you unintentionally write an incorrect statement in the sudoers file.
visudo will actually save your altered file to a temporary folder and will only overwrite the original sudoers file if the modified file has no errors.
You may be interested to read: How to create a Sudo user on Ubuntu
Instead of editing the /etc/sudoers file, it is possible to insert the two lines above to a new file in the directory /etc/sudoers.d e.g. /etc/sudoers.d/shutdown_directive.
This is an elegant and convenient way of separating various modifications to the sudo rights leaving at the same time, the original sudoers file unchanged for easier potential future upgrades.
sudo visudo -f /etc/sudoers.d/shutdown_directive
This will ensure that the permissions and the owner of the new file are set correctly.
if you had accidentally inserted an incorrect statement in the /etc/sudoers or had messed up a file in the directory /etc/sudoers.d , which means that you did not therefore use the visudo to edit your files, you will then be locked out of sudo.
It is possible to fix the files using an alternative tool to sudo, pkexec.
To repair /etc/sudoers, proceed as follows :
Now in order to fix /etc/sudoers.d/shutdown_directive , proceed as follows :
pkexec visudo -f /etc/sudoers.d/shutdown
If the permissions and/or the ownership are not correct for any sudoers file, sudo will ignore the file which means that might also get locked out as well. You can use pkexec to solve this as before.
The permissions that should be implemented should look like the following:
$ ls -l /etc/sudoers.d/shutdown_directive -r–r—– 1 root root 86 Mar 10 16:00 /etc/sudoers.d/shutdown_directive
Use pkexec as shown below this to fix ownership and permissions:
pkexec chown root:root /etc/sudoers.d/shutdown_directive pkexec chmod 0440 /etc/sudoers.d/shutdown_directive