Best way add NOPASSWD vagrant user?

What is the better way add NOPASSWD with vagrant user?

Way 1:

groupadd -r admin
usermod -a -G admin vagrant
cp /etc/sudoers /etc/sudoers.orig
sed -i -e '/Defaults\s\+env_reset/a Defaults\texempt_group=admin' /etc/sudoers
sed -i -e 's/%admin ALL=(ALL) ALL/%admin ALL=NOPASSWD:ALL/g' /etc/sudoers 

Way 2:

# Set up sudo
echo %vagrant ALL=NOPASSWD:ALL > /etc/sudoers.d/vagrant
chmod 0440 /etc/sudoers.d/vagrant
# Setup sudo to allow no-password sudo for "sudo"
usermod -a -G sudo vagrant

or maybe there are even better?


Solution 1:

Considerations for editing sudoers files

Manually editing whatever file you're creating or modifying is sometimes preferable to editing with echo ... > or sed--especially sed unless you are extremely proficient with it. This is because it shows you more clearly the impact of your changes, and because, for a file you're not actually creating (like sudoers in "Way 1"), opening the file in a text editor shows you other contents of the file that might be relevant. You should generally understand your current configuration before making changes to it and reading any configuration file you're editing is sometimes helpful toward that end.

However, more importantly, a tiny mistake in editing /etc/sudoers or any file in /etc/sudoers.d makes sudo refuse to work entirely until the probem is fixed.

For desktop Ubuntu systems but not most server systems, there's a relatively easy fix for this; otherwise, you might have to boot to recovery mode or from a live CD/DVD/USB to fix the problem of being locked out from being able to perform any administrative actions.

Either way, you should use visudo to edit /etc/sudoers and any files in /etc/sudoers.d.

For /etc/sudoers: sudo visudo

For a file in /etc/sudoers.d called vagrant: sudo visudo /etc/sudoers.d/vagrant

visudo has you edit a temporary file and, once you've exited, checks your syntax to ensure it is correct before copying over the temporary file to the real configuration file.

Because of this mechanism, if you want to use terminal one-liners instead of a text editor, you should be able to use visudo in connection with sed or some mechanism similar to pipes (like tee) to edit sudoers files safely in a manner comparable to what you've used in "Way 1" and "Way 2.

Perhaps someone else will post an answer detailing how to do that; if not, then next time I have access to a machine suitable for such testing, I may try to figure it out and expand this answer with an example. Alternatively, using sed or echo safely to create/modify sudoers and sudoers.d configuration might be considered the subject of a separate question. This is especially the case if your main interest here is whether to give NOPASSWD sudo-to-root power directly or through group membership.

Conferring sudo-to-root power by group membership vs. per-user

The main difference between "Way 1" and "Way 2" is:

  • "Way 1" makes the user an administrator and confers the ability to administrators to run commands as root with sudo without being prompted for a password.
  • "Way 2" confers this ability specifically on the one user.

Unless you want all administrators to be able to sudo-to-root without a password (by default, entering a password is required), "Way 2" is preferable.

However, any user who you want to be able to run arbitrary commands as root should probably also be an administrator! (This will let them use pkexec and it avoids confusion if you or an associate is trying to figure out who all the users are with the ability to perform system administration tasks.)

Therefore, the best thing to do may well be to add vagrant as an administrator and separately confer NOPASSWD abilities to vagrant specifically (and not to administrators in general).

Solution 2:

Please remove "%" from your way 2 , it didn't worked since "vagrant" is a user not a group , line to be replaced is -

echo vagrant ALL=NOPASSWD:ALL > /etc/sudoers.d/vagrant