Sudo Without Password
Sudo is a Linux program used to grant superuser
access to non-admin users. Generally this is regarded as a good security measure which allows a regular user to run administrative tasks on the system without using the root or super user credentials.
Sometimes the security measures presented by sudo can create issues for service accounts that automatically run administrative commands. In those situations there is a way to modify the sudo settings to allow some or all commands without a password. Before making any changes understand the security issues here, the password prompt when running a command through sudo prevents accidental access of administrative level commands. But neither this guide, nor the password prompt before sudo are fool proof security measures.
What I mean is if an attacker were able to get far enough to run sudo on a machine, there are far worse security issues at play.
To allow passwordless sudo you’ll need to create a file in the directory
/etc/sudoers.d
For instance if you wanted to give a program called test-prog
passwordless sudo access to a command you could create a file called ‘test-prog-cmd’ in the directory using the command below
sudo nano /etc/sudoers.d/test-prog-cmd
The name of the file doesn’t matter to sudo, the name’s purpose is to help the admin identify the contents of the file. Though there are two exceptions.
The file name cannot end in ‘~’.
The file name cannot contain a ‘.’
Before modifying these files make sure the program has a dedicated user with sudo privileges. If the program test-prog
needs to run the command reboot
through the sudo capable user test
add the line
below to the test-prog-cmd
file.
test ALL=NOPASSWD: /sbin/reboot
- test
- the first part is the username the rule will apply to
- ALL=NOPASSWD
- The
ALL
here denotes which hosts the rule applies to, in most cases this will always be ALL. TheNOPASSWD
tells sudo to not prompt for the user test’s password. - /sbin/reboot
- The final part is the path to the command, note that this has to be full path to the program for the command. Just putting ‘reboot’ here will not work.
What if we want to control a service invoked by Systemd? The line below will restart the service called test-prog.service
test ALL=NOPASSWD: /bin/systemctl restart test-prog.service
note that systemctl’s location can differ based on distro, to find it run the command below
whereis systemctl
That’s it, at this point the program should be able to use the test
user to run the reboot command or restart the service test-prog.service
without requiring a password.