On one particular machine I often need to run sudo commands every now and then.
I am fine with entering password on sudo in most of the cases.
However there are three sudo commands I want to run without entering password:
sudo rebootsudo shutdown -r nowsudo shutdown -P nowHow can I exclude these commands from password protection to sudo?
NOPASSWD directiveYou can use the NOPASSWD directive in your /etc/sudoers file.
If your user is called user and your host is called host you could add these lines to /etc/sudoers:
user host = (root) NOPASSWD: /sbin/shutdown
user host = (root) NOPASSWD: /sbin/reboot
This will allow the user user to run the desired commands on host without entering a password. All other sudoed commands will still require a password.
The commands specified in the sudoers file must be fully qualified (i.e. using the absolute path to the command to run) as described in the sudoers man page. Providing a relative path is considered a syntax error.
If the command ends with a trailing / character and points to a directory, the user will be able to run any command in that directory (but not in any sub-directories therein). In the following example, the user user can run any command in the directory /home/someuser/bin/:
user host = (root) NOPASSWD: /home/someuser/bin/
Note: Always use the command visudo to edit the sudoers file to make sure you do not lock yourself out of the system – just in case you accidentally write something incorrect to the sudoers file. visudo will save your modified file to a temporary location and will only overwrite the real sudoers file if the modified file can be parsed without errors.
/etc/sudoers.d instead of modifying /etc/sudoersAs an alternative to editing the /etc/sudoers file, you could add the two lines to a new file in /etc/sudoers.d e.g. /etc/sudoers.d/shutdown. This is an elegant way of separating different changes to the sudo rights and also leaves the original sudoers file untouched for easier upgrades.
Note: Again, you should use the command visudo to edit the file to make sure you do not lock yourself out of the system:
sudo visudo -f /etc/sudoers.d/shutdown
This also automatically ensures that the owner and permissions of the new file is set correctly.
sudoers is messed upIf you did not use visudo to edit your files and then accidentally messed up /etc/sudoers or messed up a file in /etc/sudoers.d then you will be locked out of sudo.
The solution could be to fix the files using pkexec which is an alternative to sudo.
To fix /etc/sudoers:
pkexec visudo
To fix /etc/sudoers.d/shutdown:
pkexec visudo -f /etc/sudoers.d/shutdown
If the ownership and/or permissions are incorrect for any sudoers file, the file will be ignored by sudo so you might also find yourself locked out in this situation. Again, you can use pkexec to fix this.
The correct permissions should be like this:
$ ls -l /etc/sudoers.d/shutdown
-r--r----- 1 root root 86 Jul 16 15:37 /etc/sudoers.d/shutdown
Use pkexec like this to fix ownership and permissions:
pkexec chown root:root /etc/sudoers.d/shutdown
pkexec chmod 0440 /etc/sudoers.d/shutdown
Sorry but there's so much confusion over this and some really complicated answers, that i feel i must weigh in here before someone misunderstands and does something crazy.
Using visudo!!
visudo
Add the following lines to the config:
ALL ALL=NOPASSWD: /sbin/reboot,/sbin/shutdown
This allows the commands, reboot and shutdown with any parameters to be executed from any user. The first "ALL" refers to the users, so it means ALL users. The second ALL refers to ALL hosts.
For a more verbose explanation see man sudoers as this provides further examples and these examples are several pages down but they are actually there if you dig deep enough.
Please stackexchange, just give simple, succinct answers.
The answer mentioning to set a host confused me, as I want to be able to have a sudo user be able to run privileged commands without requiring to consider such "host aspect"; any host should work, hence I use the special ALL reserved word.
Let's assume you want all sudo users (i.e., Unix users which are members of the Unix group sudo) to run the following commands as superuser (root) without having to enter their passwords:
sudo iftopsudo dbus-monitor --systemFirst find out the executable's full path using which:
which iftop > /usr/sbin/iftopwhich dbus-monitor > /usr/bin/dbus-monitorAssuming the main sudo configuration file etc/sudoers contains the following directive (an Ubuntu default) ...
#includedir /etc/sudoers.d
... then it is a best practice to add your configuration in its own separate file within the /etc/sudoers.d/ directory, e.g. /etc/sudoers.d/customizations. This way, you will not run into problems when an update to the original sudo package wants to change the original /etc/sudoers file and the package manager notices conflicting edits done by you.
Run the following command to create and edit your own sudo customization file:
sudo visudo -f /etc/sudoers.d/customizations
Using the visudo command makes sure that there are no syntax erros in the file when saving it - syntax errors would otherwise make sudo fail to read all its configuration files, thereby breaking any subsequent sudo usage, effectively locking you out from any superuser usage, including fixing the syntax erros.
Now add the following lines to this file and save it:
%sudo ALL=NOPASSWD: /usr/sbin/iftop
%sudo ALL=NOPASSWD: /usr/bin/dbus-monitor --system
The %sudo at the beginning of these lines indicate they are rules for all members of group ("%") sudo.
Changes to sudo configuration files, including new files within the /etc/sudoers.d/ directory, take effect immediately - no sudo "restart" required.
Now notice what happens when running the following commands: (for testing purposes, any current sudo ticket, i.e. the timespan without requiring to reenter the password, can be directly revoked/timed-out by executing sudo -k)
iftop: fails with You don't have permission to capture on that device (socket: Operation not permitted). This is because running the configured commands without the sudo prefix behave unprivileged as usual.sudo iftop: this command will now run successfully without requiring a password.sudo iftop -B ("display bandwidth in bytes"): this command will also run successfully without requiring a password, because, as man sudoers explains, "a simple file name [without parameters, in the configuration file] allows the user to run the command with any arguments they wish."sudo dbus-monitor: the system will ask for password, because, as man sudoers explains, "if a [command, in the configuration file] has associated command line arguments, then the arguments in the [command] must match exactly those given by the user on the command line (or match the wildcards if there are any)."sudo dbus-monitor --system: this command will now run successfully without requiring a password.sudo dbus-monitor --system --foo: the system will ask for password, as the arguments don't match the configuration.Coming back to the initial question, for all users in the sudo group to be allowed to run the following commands without asking for their passwords ...
sudo reboot
sudo shutdown -r now
sudo shutdown -P now
... create a sudo configuration file with the following content (assuming Ubuntu standard locations for the executables reboot and shutdown):
%sudo ALL=NOPASSWD: /usr/sbin/reboot
%sudo ALL=NOPASSWD: /usr/sbin/shutdown -r now
%sudo ALL=NOPASSWD: /usr/sbin/shutdown -P now
Notice with this configuration, any sudo user can now also run sudo reboot ... with any arguments, flags, and parameters without having to provide a password, including e.g. sudo reboot --poweroff --force.
If this is not desired, but instead only sudo reboot without any arguments/flags/parameters shall be allowed, its configuration line has to be changed to ...
%sudo ALL=NOPASSWD: /usr/sbin/reboot ""
... because as man sudoers explains: "you can specify "" to indicate that the command may only be run without command line arguments."
