7

Operating System: Arch Linux

Linux version: 4.16.11

Sudo version: 1.8.23

What I need:

  • be able to execute any executable with a sudo with a password prompt
  • be able to execute one executable, /home/username/script.sh, without a password prompt.

When I configure like this

username ALL=(ALL) NOPASSWD: /home/username/script.sh

I have the desired effect on the script.sh, but I cannot execute any other executable with sudo.

Example

$ sudo ./script.sh # runs fine!

Attempt something other

$ sudo nano /etc/sudoers
[sudo] password for username: 
Sorry, user username is not allowed to execute '/usr/bin/nano 
/etc/sudoers' as root on hostname.

Seems this is a result of replacing ALL with NOPASSWD, and seems I need both. If the sudoers file has ALL for the user, I can execute whatever I want with password prompt

username ALL=(ALL) ALL

I tried to combine ALL and NOPASSWD but had no results

username ALL=(ALL) ALL, NOPASSWD: /home/username/script.sh

Like this it asks for password for script.sh.

Can I have both?

Improve this question
1
  • 2
    Please note that if the user has write permissions on the file, he can bypass the password check easily by editing it. The NOPASSWD options should be used for executables that can't be changed by the users, like, say ifconfig for a network admin.
    – Maya
    Commented Jun 4, 2018 at 18:43

2 Answers 2

Reset to default
19

man 5 sudoers says ("Sudoers File Format" section):

When multiple entries match for a user, they are applied in order. Where there are multiple matches, the last match is used (which is not necessarily the most specific match).

So you should have these lines exactly in this order:

username ALL=(ALL) ALL
username ALL=(ALL) NOPASSWD: /home/username/script.sh

and any line that also matches (like e.g. %sudo ALL=(ALL:ALL) ALL) should be before the NOPASSWD line.

General note: #include and #includedir allow sudoers to include other files. From the version 1.9.1 the encouraged directives are @include and @includedir respectively, but #include and #includedir are still accepted. Don't let # fool you, these are not comments. While searching for entries that may interfere, you shouldn't omit what #include and #includedir point to. Helpful option: sudo -l.

Improve this answer
0
3

You will often find a line like this in /etc/sudoers:

# Allow members of group sudo to execute any command
%wheel   ALL=(ALL:ALL) ALL

This will allow any user that is in the "wheel" group to make use of sudo with suitable proof of identity (e.g: their password). The nominated group may also be "sudo", "admin", or others... (e.g: line starts with %sudo)

If this is present in the file, then run id to see what groups you're in:

$ id
uid=1000(attie) gid=1000(attie) groups=1000(attie),27(sudo),117(docker)

If your user isn't in the appropriate group, then you must add your user to that group.

An alternative would be to list both of your rules one-by-one, with the last matching rule taking effect (i.e: order is important):

username ALL=(ALL) ALL
username ALL=(ALL) NOPASSWD: /home/username/script.sh

See the ArchWiki page on sudo: https://wiki.archlinux.org/index.php/sudo#Example_entries

Improve this answer
1
  • 1
    Thank you. Though you answered first, Kamil was the first to provide the answer that suits me better, thus accepted answer is Kamil's.
    – Yaroslav Mytkalyk
    Commented Jun 4, 2018 at 10:07

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .