4

I want to implement a script to execute any command with root privileges, but without having to put any password. At the terminal I would like to see it like this:

./newsudo "comand with root privileges"

I think, the way to go would be to use the "comand with root privileges" as an argument inside the script with and exec or similar, to execute it.

The truth is, I'm very noob in all this area and I don't know where to start.

Thanks!!

muru
  • 207,228
Binkpang34
  • 41
  • 2

2 Answers2

14

Create a generic command to run any (sub-) command as sudo, without password; is it possible?

Theoretically, what you ask is possible. Since it is possible to set an application in the sudoers file to run with arguments, we can make a command (script) to call, that runs with sudo, with the command in question as argument.

Should we do it?

NEVER, since it will break the principle of being an administrator. ANY malicious process could run code to destroy your system.

The bottom line is that I even won't post how to do that.

More do's and don'ts on running software without password

As mentioned by @Groundzero, you can add specific applications or scripts to the sudoers file, to run without password, as described here. However, keep in mind:

  • Do not add applications to the sudoers file which can be used to harm your system or do harmfull things in general. Especially if the application has extensive cli- options.
  • Do not store scripts to run with sudo (without password) in a location where they can be edited without administrator's privileges. A simple edit by anyone (or any process) can make it do anything.
Community
  • 1
Jacob Vlijm
  • 85,475
3

Just make a sudo rule granting the commands in question to the desired user/group with NOPASSWD: in front of the command. You don't need a new script, just something like this to grant the ability to run anything as root to everyone in the admins group with no password required:

%admins ALL = NOPASSWD: ALL

In general, requiring passwords on extra dangerous commands is a good idea, but your security policy is yours. There was some (now deleted) discussion on how this is insecure, and I agree: it is dangerous. It's almost always a bad idea to say "this user can run anything as root without re-validating their identity occasionally."

There are other forums dedicated to security, though. If the legitimate goal is to run arbitrary commands as root with no password, the above is just about the safest way to do so. The caveat being that anyone implementing this needs to be aware of the risks, including "anyone who can run a command with this user's privileges is effectively root." That includes things like downloaded scripts and possibly even malicious web pages, if the browser has a security hole. The separation between "non-privileged user" and "root" is pretty much gone with a rule like this in place. Buyer beware. :)

dannysauer
  • 496