Sudo Without Password

November 15th 2020

Sudo is a Linux program used to grant superuser access to non-admin users. Generally this is regarded as a good security measure which allows a regular user to run administrative tasks on the system without using the root or super user credentials.

Sometimes the security measures presented by sudo can create issues for service accounts that automatically run administrative commands. In those situations there is a way to modify the sudo settings to allow some or all commands without a password. Before making any changes understand the security issues here, the password prompt when running a command through sudo prevents accidental access of administrative level commands. But neither this guide, nor the password prompt before sudo are fool proof security measures.

What I mean is if an attacker were able to get far enough to run sudo on a machine, there are far worse security issues at play.

To allow passwordless sudo you’ll need to create a file in the directory


/etc/sudoers.d

For instance if you wanted to give a program called test-prog passwordless sudo access to a command you could create a file called ‘test-prog-cmd’ in the directory using the command below


sudo nano /etc/sudoers.d/test-prog-cmd

The name of the file doesn’t matter to sudo, the name’s purpose is to help the admin identify the contents of the file. Though there are two exceptions.

The file name cannot end in ‘~’.
The file name cannot contain a ‘.’

Before modifying these files make sure the program has a dedicated user with sudo privileges. If the program test-prog needs to run the command reboot through the sudo capable user test add the line
below to the test-prog-cmd file.


test ALL=NOPASSWD: /sbin/reboot
test
the first part is the username the rule will apply to
ALL=NOPASSWD
The ALL here denotes which hosts the rule applies to, in most cases this will always be ALL. The NOPASSWD tells sudo to not prompt for the user test’s password.
/sbin/reboot
The final part is the path to the command, note that this has to be full path to the program for the command. Just putting ‘reboot’ here will not work.

What if we want to control a service invoked by Systemd? The line below will restart the service called test-prog.service


test ALL=NOPASSWD: /bin/systemctl restart test-prog.service

note that systemctl’s location can differ based on distro, to find it run the command below


whereis systemctl

That’s it, at this point the program should be able to use the test user to run the reboot command or restart the service test-prog.service without requiring a password.

This post is written by Gouthaman Raveendran, licensed under CC BY-NC 4.0.