292

How does the ubuntu user on the AWS images for Ubuntu Server 12.04 have passwordless sudo for all commands when there is no configuration for it in /etc/sudoers?

I'm using Ubuntu server 12.04 on Amazon. I want to add a new user that has the same behavior as the default Ubuntu user. Specifically I want passwordless sudo for this new user.

So I've added a new user and went to edit /etc/sudoers (using visudo of course). From reading that file it seemed like the default ubuntu user was getting it's passwordless sudo from being a member of the admin group. So I added my new user to that. Which didn't work. Then I tried adding the NOPASSWD directive to sudoers. Which also didn't work.

Anyway, now I'm just curious. How does the ubuntu user get passwordless privileges if they aren't defined in /etc/sudoers. What is the mechanism that allows this?

Peachy
  • 7,235
  • 10
  • 40
  • 47
aychedee
  • 8,347

7 Answers7

399

Okay, I have discovered the answer so may as well put it here for completeness. At the end of /etc/sudoers there is what I thought was just a comment:

#includedir /etc/sudoers.d

However this actually includes the contents of that directory. Inside of which is the file /etc/sudoers.d/90-cloudimg-ubuntu. Which has the expected contents

# ubuntu user is default user in cloud-images.
# It needs passwordless sudo functionality.
ubuntu ALL=(ALL) NOPASSWD:ALL

So that is where the sudo configuration for the default ubuntu user lives.

You should edit this file using visudo. The following command will let you edit the correct file with visudo. 

sudo visudo -f /etc/sudoers.d/90-cloudimg-ubuntu

And add a line like:

aychedee ALL=(ALL) NOPASSWD:ALL

At the end.

aychedee
  • 8,347
114

I found that the most straight forward thing to do, in order to easily replicate this behavior across multiple servers, was the following:

sudo visudo

Change this line:

# Members of the admin group may gain root privileges
%admin  ALL=(ALL) ALL

to this line:

# Members of the admin group may gain root privileges
%admin  ALL=(ALL) NOPASSWD:ALL

And move it under this line:

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

you should now have this:

# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#

Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"


Host alias specification


User alias specification


Cmnd alias specification


User privilege specification


root    ALL=(ALL:ALL) ALL


Allow members of group sudo to execute any command


%sudo   ALL=(ALL:ALL) ALL


Members of the admin group may gain root privileges


%admin  ALL=(ALL) NOPASSWD:ALL


See sudoers(5) for more information on "#include" directives:


#includedir /etc/sudoers.d

then for every user that needs sudo access WITH a password:

sudo adduser <user> sudo

and for every user that needs sudo access WITH NO password:

sudo adduser <user> admin

(on older versions of ubuntu, you may need to):

sudo service sudo restart

And that's it!

Edit: You may have to add the admin group as it might not exist depending on OS version.

sudo groupadd admin

You can also add the default AWS ubuntu user to the admin group via this command:

sudo usermod ubuntu -g admin

Note: As @hata mentioned, you may need to use adm as your admin group name, depending on which version of Ubuntu is being used.

jiminikiz
  • 1,295
9

I would create my own file under /etc/sudoers.d/ directory - the file created by Amazon Cloud might be overwritten in case of any update. After creating your file in /etc/sudoers.d, add this entry,

<your user name> ALL=(ALL) NOPASSWD:ALL

Reboot the system and this will work.

WaughWaugh
  • 191
7

Short answer without using any editor (tested on bash, very risky to execute on remote hosts).

Configure sudo to work without a password for the current user:

echo "$USER ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers

Check the edit with:

sudo visudo -c

Verify if you can use sudo without a password:

sudo cat /etc/sudoers | grep "$USER"

...or simply try it with:

sudo <anything>
David Eison
  • 103
user315445
  • 127
2

As I was researching this, I realized that there's a line in the /etc/sudoers file that is not a comment, but a directive that makes any file or folder under the directory /etc/sudoers/* override the contents of /etc/sudoers.

This is a sneaky little directive, as it appears to be a commented line upon first glance. It looks like this:

#includedir /etc/sudoers.d

This is how I've implemented the non-root, passwordless user in an ephemeral Docker Image for use in a CICD pipeline with the base image of ubuntu:18.04:

RUN \
  useradd -U foo -m -s /bin/bash -p foo -G sudo && passwd -d foo && passwd -d root && \
  sed -i /etc/sudoers -re 's/^%sudo.*/%sudo ALL=(ALL:ALL) NOPASSWD: ALL/g' && \
  sed -i /etc/sudoers -re 's/^root.*/root ALL=(ALL:ALL) NOPASSWD: ALL/g' && \
  sed -i /etc/sudoers -re 's/^#includedir.*/## Removed the #include directive! ##"/g' && \
  echo "Customized the sudoers file for passwordless access!" && \
  echo "foo ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers && \
  echo "root ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers && \
  echo "foo user:";  su foo -c 'whoami && id' && \
  echo "root user:"; su root -c 'whoami && id'

What happens with the above code:

  • The user and group foo is created.
  • The user foo is added to the both the foo and sudo group.
  • The home directory is set to /home/foo.
  • The shell is set to /bin/bash.
  • The passwords for both foo and root are deleted.
  • The sed command does inline updates to the /etc/sudoers file to allow foo and root users passwordless access to the sudo command.
  • The sed command disables the #includedir directive that would allow any files in subdirectories to override these inline updates.
Seth Bergman
  • 336
0

In case you want to remove password

sudo passwd -d user

check more info about passwd command with passwd -h on ubuntu

edit: passwd command varies from system to system. for eg the -d flag is on ubuntu systems but not on macbooks

wild_dove22
  • 1
0

For some reason every answer here seems way longer than it should be or is unnecessarily complex.

Here's the fool-proof way to do it:

Run:

$ echo "$USER ALL=(ALL) NOPASSWD:ALL"

Copy the output of that.

Then run:

$ sudo visudo

Paste the line you copied in the previous step, at the bottom of this file.

Raleigh L.
  • 101