/etc/sudoers NOPASSWD option not working for Bash script

Question

I'm trying to allow a Bash script to run with sudo privileges (and without asking for the password) by editing the /etc/sudoers file with sudo visudo and placing ALL ALL = (root) NOPASSWD: /home/myUserName/scriptName in the last line of the file (since I know that the order in the /etc/sudoers file matters). However, it doesn't work. If it matters, I am running Kubuntu 24.04 LTS.

My full /etc/sudoers file as given by sudo visudo is:

  GNU nano 7.2                            /etc/sudoers.tmp                                      
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap>
This fixes CVE-2005-4890 and possibly breaks some versions of kdesu
(#1011624, https://bugs.kde.org/show_bug.cgi?id=452532)
Defaults        use_pty
This preserves proxy settings from user environments of root
equivalent users (group sudo)
#Defaults:%sudo env_keep += "http_proxy https_proxy ftp_proxy all_proxy no_proxy"
This allows running arbitrary commands, but so does ALL, and it means
different sudoers have their choice of editor respected.
#Defaults:%sudo env_keep += "EDITOR"
Completely harmless preservation of a user preference.
#Defaults:%sudo env_keep += "GREP_COLOR"
While you shouldn't normally run git as root, you need to with etckeeper
#Defaults:%sudo env_keep += "GIT_AUTHOR_* GIT_COMMITTER_*"
Per-user preferences; root won't have sensible values for them.
#Defaults:%sudo env_keep += "EMAIL DEBEMAIL DEBFULLNAME"
"sudo scp" or "sudo rsync" should be able to use your SSH agent.
#Defaults:%sudo env_keep += "SSH_AGENT_PID SSH_AUTH_SOCK"
Ditto for GPG agent
#Defaults:%sudo env_keep += "GPG_AGENT_INFO"
Host alias specification
User alias specification
Cmnd alias specification
User privilege specification
root    ALL=(ALL:ALL) ALL
Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL
See sudoers(5) for more information on "@include" directives:
@includedir /etc/sudoers.d
ALL ALL = (root) NOPASSWD: /home/myUserName/scriptName

Importantly, since the only command (requiring sudo to succeed) that scriptName itself utilizes is dash ..., I also thought to try adding ALL ALL = (root) NOPASSWD: /usr/bin/dash, and it works. However, dash is quite a powerful command widely used elsewhere, so I am looking for an option to allow only the script itself to run as sudo.

score 0 · Answer 1 · answered Apr 29 '25 at 19:49

Removing the option to prompt for a password for every action is extremely dangerous.

It can be done, assuming the risks involved.

Edit the /etc/sudoers file with visudo:

We must write the username. To be verbose, we search for the block:

# User privilege specification
root ALL=(ALL:ALL) ALL

And we write:

# User privilege specification
root ALL=(ALL:ALL) ALL
myUserName ALL=(ALL) NOPASSWD:ALL

To limit this to only one command, specify it with:

# User privilege specification
root ALL=(ALL:ALL) ALL
myUserName ALL=(ALL) NOPASSWD:/home/myUserName/scriptName

emk2203 · Answer 2 · 2025-04-29T20:39:19.580

The script contents could be overwritten and afterwards execute arbitrary commands without a password, use this method only if you are aware of the risks.

Make sure that the script used is in one of the secure paths of sudo (from /etc/sudoers):

## Use a hard-coded PATH instead of the user's to find commands.
## This also helps prevent poorly written scripts from running
## arbitrary commands under sudo.
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/bin"

Create a new entry 95-sudoscript in the /etc/sudoers.d directory with visudo:

# This script runs under `sudo` without the need of a password
tiredUser ALL=(root) NOPASSWD:/usr/local/bin/script_name

If possible, restrict to a single user running the script.

Save your script script_name to /usr/local/bin/. Now the script /usr/local/bin/script_name can be executed with sudo script_name without password.

This was tested under Kubuntu 25.04 with

Sudo version 1.9.16p2
Sudoers policy plugin version 1.9.16p2
Sudoers file grammar version 50
Sudoers I/O plugin version 1.9.16p2
Sudoers audit plugin version 1.9.16p2

/etc/sudoers NOPASSWD option not working for Bash script

This fixes CVE-2005-4890 and possibly breaks some versions of kdesu

(#1011624, https://bugs.kde.org/show_bug.cgi?id=452532)

This preserves proxy settings from user environments of root

equivalent users (group sudo)

This allows running arbitrary commands, but so does ALL, and it means

different sudoers have their choice of editor respected.

Completely harmless preservation of a user preference.

While you shouldn't normally run git as root, you need to with etckeeper

Per-user preferences; root won't have sensible values for them.

"sudo scp" or "sudo rsync" should be able to use your SSH agent.

Ditto for GPG agent

Host alias specification

User alias specification

Cmnd alias specification

User privilege specification

Members of the admin group may gain root privileges

Allow members of group sudo to execute any command

See sudoers(5) for more information on "@include" directives:

2 Answers2