Ubuntu – How to always enforce sudo password for specific command

command lineserversudo

The other day I was doing some maintenance tasks on my web server. I was in hurry and sleepy, so I did everything using sudo command.

And then, I accidentally pressed Ctrl+V, sending this command to my web server:

sudo rm -rf /*

For those wondering what above command does: This deleted my whole web server

Luckily, I had backups and sadly, I had to spend two more hours being awake to fix this awesome error. But since then, I have been wondering:

Is there a way to always enforce sudo password for specific command?

If the server asked me for a password, I would save myself from lot of trouble. It did not, because I ran about 5 sudo commands before this majestic error.

So, is there a way to do it? I just need the password with the rm command to always be enforced. Other commands I am using are usually nano or cp which both are (to some extent) revertable.

Best Answer

You can set the timestamp_timeout to 0 for particular commands in /etc/sudoers. Create a file visudo -f /etc/sudoers.d/pduck with the following content:

Cmnd_Alias DANGEROUS = /bin/rm

Defaults!DANGEROUS timestamp_timeout=0

pduck ALL = (ALL:ALL) DANGEROUS

Now the user pduck is always asked for a password when running sudo rm (no matter what additional parameters are given) even though the user is member of the sudo group and sudo remembers his password for other commands.

The downside is that you cannot easily add parameters to the /bin/rm line in the file to further restrict this. Well… you can, like:

Cmnd_Alias DANGEROUS = /bin/rm -f

but then you just get prompted for exactly sudo rm -f and not (again) for sudo rm -rf, for example.

Related Solutions

Ubuntu – How to allow execution without prompting for password using sudo

You need to do the following, on the terminal type sudo visudo and add a line like this at the end of the file specifying the commands you want to run without typing the sudo password (I suggest you use each command you want to use in the program and not just allow all programs to be executed by this)

<yourusername> ALL=NOPASSWD: <command1>, <command2>

Now you can run the specified commands without password as long as you type that command with sudo.

ie: lets say you want to run shutdown -r now without having to type sudo password every time and your username is 'joedoe'

type sudo visudo on a terminal
Add joedoe ALL=NOPASSWD: /usr/sbin/shutdown -r now as a new line at the end of the file, use absolute paths to the program you are trying to use.
on your program you can then use sudo shutdown -r now without having to type the sudo password.

You can find the absolute path to a program by using which <program name> on a terminal.

Its a very dirty trick wish leaves your system open for other dangers but I am guessing you know what you are doing and want this.

Edit

You really need to make sure that the permitions you are setting are at the end of the file so that nothing is overwritten by the groups permissions.

Ubuntu – No password prompt at sudo command

Edit /etc/sudoers using sudo visudo, and remove the last line:

ALL ALL=(ALL) NOPASSWD:ALL

(By the way, please note that this line at the end of the file is not the preferred way to make sudo not prompt for a password, for those who want to do that.)

Best Answer

Related Solutions

Ubuntu – How to allow execution without prompting for password using sudo

Ubuntu – No password prompt at sudo command

Related Question