I have to execute a shell script as another user, but without being prompted for a password.

I've edited the /etc/sudoers file with visudo, adding the following line.

_www  localhost=(otheruser) NOPASSWD:bin/sh /path/to/my/script.sh

If I understand how sudo works, this means that the user _www is allowed to execute like user otheruser, without being prompted for password, only from localhost.

Is that correct? Because the system continues to prompt for the password.

  • That is strange. My visudo complained when I tested your example. The problem was the relative path bin/sh. You should specify the absolute path /bin/sh as written in the correct reply or no directory path sh when the command is in the predefined path. I have this version: visudo -V --- visudo version 1.8.3p1 --- visudo grammar version 40 Commented Jan 10, 2014 at 17:09

2 Answers 2


I'd think you need to put the path to sh correctly, you're missing the first '/'

_www  localhost=(otheruser) NOPASSWD:/bin/sh /path/to/my/script.sh

Then try the command exactly as it appears in the file. Assuming you're logged in as _www:

sudo -u otheruser /bin/sh /path/to/my/script.sh

if it still prompts, something else is wrong...

  • Do you really need the /bin/sh? Most shell scripts include that at the top..
    – NickW
    Commented Jan 10, 2014 at 16:58
  • 1
    @NickW: This could be important if you want to enforce user of certain shell regardless the shebang sequence on the first line of the script. Commented Jan 10, 2014 at 17:02
  • @pabouk There shouldn't be a reason to do this, the shebang should point to the correct shell. If you are worried about a user changing the shell then they shouldn't have access to modify the script in the first place. Commented Jan 10, 2014 at 18:24
  • @NickW - Can you assume the script has either a shebang or execute permissions? What if the command to be run is "sh /path/to/script"? The OP hasn't stated what the command is, but if it is to be locked down to the exact command rather than "./script" then surely the full path to the binary is absolutely necessary?
    – arco444
    Commented Jan 10, 2014 at 18:31
  • I use sudo powers to let people run (not modify or read) a script of my choice.. nothing against using it for other purposes, but my users can only execute that script as it was written.
    – NickW
    Commented Jan 13, 2014 at 9:26

Here is a working line from my sudoers file:

www-data ALL=(ALL) NOPASSWD: /usr/local/bin/myapp

The problem I ran into, though, when getting this working on my server wasn't actually the sudoers file, it was the way the executable was being called from the web application. Be sure the syntax of the system call in your PHP or Python file is correct and that your arguments are being passed correctly.

My working example is from a Python file that uses subprocess.Popen and looks like this snippet:

args = '/usr/bin/sudo /usr/local/bin/myapp -v'
p = Popen(args, stdout=PIPE, stderr=STDOUT, shell=True).communicate()

Hope this helps.

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .