Best way add NOPASSWD vagrant user?
What is the better way add NOPASSWD with vagrant user?
Way 1:
groupadd -r admin
usermod -a -G admin vagrant
cp /etc/sudoers /etc/sudoers.orig
sed -i -e '/Defaults\s\+env_reset/a Defaults\texempt_group=admin' /etc/sudoers
sed -i -e 's/%admin ALL=(ALL) ALL/%admin ALL=NOPASSWD:ALL/g' /etc/sudoers
Way 2:
# Set up sudo
echo %vagrant ALL=NOPASSWD:ALL > /etc/sudoers.d/vagrant
chmod 0440 /etc/sudoers.d/vagrant
# Setup sudo to allow no-password sudo for "sudo"
usermod -a -G sudo vagrant
or maybe there are even better?
Solution 1:
Considerations for editing sudoers
files
Manually editing whatever file you're creating or modifying is sometimes preferable to editing with echo ... >
or sed
--especially sed
unless you are extremely proficient with it. This is because it shows you more clearly the impact of your changes, and because, for a file you're not actually creating (like sudoers
in "Way 1"), opening the file in a text editor shows you other contents of the file that might be relevant. You should generally understand your current configuration before making changes to it and reading any configuration file you're editing is sometimes helpful toward that end.
However, more importantly, a tiny mistake in editing /etc/sudoers
or any file in /etc/sudoers.d
makes sudo
refuse to work entirely until the probem is fixed.
For desktop Ubuntu systems but not most server systems, there's a relatively easy fix for this; otherwise, you might have to boot to recovery mode or from a live CD/DVD/USB to fix the problem of being locked out from being able to perform any administrative actions.
Either way, you should use visudo
to edit /etc/sudoers
and any files in /etc/sudoers.d
.
For /etc/sudoers
: sudo visudo
For a file in /etc/sudoers.d
called vagrant
: sudo visudo /etc/sudoers.d/vagrant
visudo
has you edit a temporary file and, once you've exited, checks your syntax to ensure it is correct before copying over the temporary file to the real configuration file.
Because of this mechanism, if you want to use terminal one-liners instead of a text editor, you should be able to use visudo
in connection with sed
or some mechanism similar to pipes (like tee
) to edit sudoers
files safely in a manner comparable to what you've used in "Way 1" and "Way 2.
Perhaps someone else will post an answer detailing how to do that; if not, then next time I have access to a machine suitable for such testing, I may try to figure it out and expand this answer with an example. Alternatively, using sed
or echo
safely to create/modify sudoers
and sudoers.d
configuration might be considered the subject of a separate question. This is especially the case if your main interest here is whether to give NOPASSWD sudo-to-root power directly or through group membership.
Conferring sudo-to-root power by group membership vs. per-user
The main difference between "Way 1" and "Way 2" is:
- "Way 1" makes the user an administrator and confers the ability to administrators to run commands as root with
sudo
without being prompted for a password. - "Way 2" confers this ability specifically on the one user.
Unless you want all administrators to be able to sudo-to-root without a password (by default, entering a password is required), "Way 2" is preferable.
However, any user who you want to be able to run arbitrary commands as root should probably also be an administrator! (This will let them use pkexec
and it avoids confusion if you or an associate is trying to figure out who all the users are with the ability to perform system administration tasks.)
Therefore, the best thing to do may well be to add vagrant
as an administrator and separately confer NOPASSWD
abilities to vagrant
specifically (and not to administrators in general).
Solution 2:
Please remove "%" from your way 2 , it didn't worked since "vagrant" is a user not a group , line to be replaced is -
echo vagrant ALL=NOPASSWD:ALL > /etc/sudoers.d/vagrant