How do I run specific sudo commands without a password?
On one particular machine I often need to run sudo
commands every now and then.
I am fine with entering password on sudo
in most of the cases.
However there are three sudo
commands I want to run without entering password:
sudo reboot
sudo shutdown -r now
sudo shutdown -P now
How can I exclude these commands from password protection to sudo
?
Solution 1:
Use the NOPASSWD
directive
You can use the NOPASSWD
directive in your /etc/sudoers
file.
If your user is called user
and your host is called host
you could add these lines to /etc/sudoers
:
user host = (root) NOPASSWD: /sbin/shutdown
user host = (root) NOPASSWD: /sbin/reboot
This will allow the user user
to run the desired commands on host
without entering a password. All other sudo
ed commands will still require a password.
The commands specified in the sudoers
file must be fully qualified (i.e. using the absolute path to the command to run) as described in the sudoers
man page. Providing a relative path is considered a syntax error.
If the command ends with a trailing /
character and points to a directory, the user will be able to run any command in that directory (but not in any sub-directories therein). In the following example, the user user
can run any command in the directory /home/someuser/bin/
:
user host = (root) NOPASSWD: /home/someuser/bin/
Note: Always use the command visudo
to edit the sudoers
file to make sure you do not lock yourself out of the system – just in case you accidentally write something incorrect to the sudoers
file. visudo
will save your modified file to a temporary location and will only overwrite the real sudoers
file if the modified file can be parsed without errors.
Using /etc/sudoers.d
instead of modifying /etc/sudoers
As an alternative to editing the /etc/sudoers
file, you could add the two lines to a new file in /etc/sudoers.d
e.g. /etc/sudoers.d/shutdown
. This is an elegant way of separating different changes to the sudo
rights and also leaves the original sudoers
file untouched for easier upgrades.
Note: Again, you should use the command visudo
to edit the file to make sure you do not lock yourself out of the system:
sudo visudo -f /etc/sudoers.d/shutdown
This also automatically ensures that the owner and permissions of the new file is set correctly.
If sudoers
is messed up
If you did not use visudo
to edit your files and then accidentally messed up /etc/sudoers
or messed up a file in /etc/sudoers.d
then you will be locked out of sudo
.
The solution could be to fix the files using pkexec
which is an alternative to sudo
.
To fix /etc/sudoers
:
pkexec visudo
To fix /etc/sudoers.d/shutdown
:
pkexec visudo -f /etc/sudoers.d/shutdown
If the ownership and/or permissions are incorrect for any sudoers
file, the file will be ignored by sudo
so you might also find yourself locked out in this situation. Again, you can use pkexec
to fix this.
The correct permissions should be like this:
$ ls -l /etc/sudoers.d/shutdown
-r--r----- 1 root root 86 Jul 16 15:37 /etc/sudoers.d/shutdown
Use pkexec
like this to fix ownership and permissions:
pkexec chown root:root /etc/sudoers.d/shutdown
pkexec chmod 0440 /etc/sudoers.d/shutdown
Solution 2:
Sorry but there's so much confusion over this and some really complicated answers, that i feel i must weigh in here before someone misunderstands and does something crazy.
Using visudo!!
Add the following lines to the config:
ALL ALL=NOPASSWD: /sbin/reboot,/sbin/shutdown
This allows the commands, reboot and shutdown with any parameters to be executed from any user. The first "ALL" refers to the users, so it means ALL users. The second ALL refers to ALL hosts.
For a more verbose explanation see man sudoers
as this provides further examples and these examples are several pages down but they are actually there if you dig deep enough.
Please stackexchange, just give simple, succinct answers.