Sudoers file, enable NOPASSWD for user, all commands
Preface
This is a fairly complex question related to the sudoers file and the sudo command in general.
NOTE: I have made these changes on a dedicated machine running Ubuntu Desktop 13.04, that I use purely for learning purposes. I understand it's a huge security risk to enable NOPASSWD sudo.
Question
Initially, my only change to the sudoers file (/etc/sudoers) was one line, a user specification that should have enabled nicholsonjf to run all commands with sudo without having to enter a password (see the line that starts with nicholsonjf):
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
nicholsonjf ALL=NOPASSWD: ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d
However this did not work, and I was still prompted for my password every time I ran a command as nicholsonjf. I was only able to start running sudo commands as nicholsonjf once I removed nicholsonjf from the sudo and admin groups.
Can anyone explain why this worked?
Is it because the user nicholsonjf was inheriting sudo rights from the two group specifications of admin and sudo (seen below in the sudoers file), which were overriding the nicholsonjf user specification because they were further down in the config file?
The line you added was overridden. From man sudoers:
When multiple entries match for a user, they are applied in order. Where there are multiple matches, the last match is used (which is not necessarily the most specific match).
In your case nicholsonjf was a member of the group sudo so for him this line applied:
%sudo ALL=(ALL:ALL) ALL
If you want to override entries in /etc/sudoers just put the new entries after them.
The new entry should look like
myuser ALL=(ALL) NOPASSWD: ALL for a single user, or
%sudo ALL=(ALL) NOPASSWD: ALL for a group.
For a single user, add this line at the end of your sudoers file using the sudo visudo command:
superuser ALL=(ALL) NOPASSWD:ALL
For a group
%supergroup ALL=(ALL) NOPASSWD:ALL
To never prompt the current user for a password when that user uses sudo run this command:
echo "$USER ALL=(ALL:ALL) NOPASSWD: ALL" | sudo tee /etc/sudoers.d/dont-prompt-$USER-for-sudo-password
It creates a file called /etc/sudoers.d/dont-prompt-<YOUR USERNAME>-for-sudo-password with the following contents:
<YOUR USERNAME> ALL=(ALL:ALL) NOPASSWD: ALL
The advantages of doing it this way over manually adding that line to /etc/sudoers using sudo visudo (as suggested by the other answers) are
-
/etc/sudoersis sometimes modified by system updates, whereas files in/etc/sudoers.daren't - the
sudo visudomethod is prone to error (as evidenced by this very question), whereas copy and pasting a command is harder to mess up
Note that you may still be prompted for the password in other contexts, such as installing stuff from the Ubuntu Software graphical app.
According to sudo cat /etc/sudoers.d/README this feature (of putting extra sudoer files in /etc/sudoers.d) has been enabled by default since Debian 1.7.2p1-1, which came out in the late 1990's (Ubuntu is based on Debian).