You had a NOPASSWD
rule applied to your user in some file in /etc/sudoers.d
. Use sudo grep NOPASSWD /etc/sudoers.d -R
to find out which.
Your /etc/sudoers
is not the default, however. The default sudoers
can be obtained by looking at the sudo
package:
$ apt-get download sudo
Get:1 http://mirror.cse.iitk.ac.in/ubuntu xenial-updates/main amd64 sudo amd64 1.8.16-0ubuntu1.1 [389 kB]
Fetched 389 kB in 0s (4,750 kB/s)
$ dpkg-deb --fsys-tarfile sudo*.deb | tar x ./etc/sudoers
$ cat etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d
This is rather different from what you have. Restore /etc/sudoers
to the default.
For excluding specific commands from requiring a password, see How do I run specific sudo commands without a password?
Sometimes running a process from root's crontab
may cause issues with initial file ownership and rwx
mode; those may not be correctly preserved.
In any case:
1) to create a new user, keep it simple:
$ sudo deluser my-user # if "my-user" is a regular user
$ adduser my-user
$ sudo gpasswd -a my-user sudo
2) to include a new entry with a NOPASSWD
tag in sudoers or in a file (e.g. /etc/sudoers.d/60_my-user_rules
), make the colon stick to the tag, i.e. NOPASSWD:
I've not seen it before with interspersed space and yr rule becomes:
my-user my-host = NOPASSWD: /full/path/to/cmd [parameter1 [| parameter2 [| ...]]]
Adding (ALL)
before the NOPASSWD:
is optional as the rule defaults to (ALL:ALL)
anyway. You may however want to not only run your cmd/script with root privilege but also run it as either a given user (spec-user
) or as a member of a given group (spec-group
) or both. In that case, the rule becomes:
my-user my-host = ([spec-user][:spec-group]) NOPASSWD: /full/path/to/cmd [parameter1 [| parameter2 [| ...]]]
This will actually restrict yr passwordless sudo disposition to one user, one host and one command. You can harden this rule by specifying the optional parameter(s) to that command. In that case the rule will apply only for that/those exact parameter(s).
For scripts, you could further harden this rule by ensuring that the rule applies only if the script was not modified in any way. This is a way to avoid script-hijacking. This is done through cmd-aliasing and specifying SHA-sums in /etc/sudoers.d/60_my-user_rules
.
HTH. Please report if you experience issues with that answer.
Best Answer
You can configure
sudo
to never ask for your password.Open a Terminal window and type:
In the bottom of the file, add the following line:
Where
$USER
is your username on your system. Save and close the sudoers file (if you haven't changed your default terminal editor (you'll know if you have), press Ctl + x to exitnano
and it'll prompt you to save).As of Ubuntu 19.04, the file should now look something like
After this you can type
sudo <whatever you want>
in a Terminal window without being prompted for the password.This only applies, to using the
sudo
command in the terminal. You'll still be prompted for your password if you (for example) try to install a package from the software center