Ubuntu – How to avoid password request for sudo for crontab scripts

bashcommand linecronpasswordsudo

I need that a new user could execute sudo without any request of password, because this user has in crontab a .sh that uses sudo for some commands.

I created a new user on my ubuntu server 16.04 x64

adduser my-user sudo
gpasswd -a my-user sudo

Then using visuo i added this line, based on this question

my-user ALL=(ALL) NOPASSWD : ALL

Then rebooted

After reboot I logged in using my-user and tried to do sudo clear, but it ask me the sudo password.

NOTE: I've added the crontab using crontab -e my-user so I suppose my script is executed as my-user. In fact, the crontabbed script crashes telling me in the log about a sudo request of password. I really need to execute the script in this way to be able to create file with my-suer as owner.

Please tell me if some steps/lines were not needed and how to make able my-user to execute sudo without password request.

Thanks

PS: I seen this question, but I'm not able to make it working so I need a more precise explanation, because my situation is different: i'm running a crontab script and I need it do not ask for sudo password

Best Answer

Sometimes running a process from root's crontab may cause issues with initial file ownership and rwx mode; those may not be correctly preserved.

In any case:

1) to create a new user, keep it simple:

 $ sudo deluser my-user  # if "my-user" is a regular user
 $ adduser my-user
 $ sudo gpasswd -a my-user sudo

2) to include a new entry with a NOPASSWD tag in sudoers or in a file (e.g. /etc/sudoers.d/60_my-user_rules), make the colon stick to the tag, i.e. NOPASSWD:
I've not seen it before with interspersed space and yr rule becomes:

 my-user my-host = NOPASSWD: /full/path/to/cmd [parameter1 [| parameter2 [| ...]]]

Adding (ALL) before the NOPASSWD: is optional as the rule defaults to (ALL:ALL) anyway. You may however want to not only run your cmd/script with root privilege but also run it as either a given user (spec-user) or as a member of a given group (spec-group) or both. In that case, the rule becomes:

 my-user my-host = ([spec-user][:spec-group]) NOPASSWD: /full/path/to/cmd [parameter1 [| parameter2 [| ...]]]

This will actually restrict yr passwordless sudo disposition to one user, one host and one command. You can harden this rule by specifying the optional parameter(s) to that command. In that case the rule will apply only for that/those exact parameter(s).
For scripts, you could further harden this rule by ensuring that the rule applies only if the script was not modified in any way. This is a way to avoid script-hijacking. This is done through cmd-aliasing and specifying SHA-sums in /etc/sudoers.d/60_my-user_rules.

HTH. Please report if you experience issues with that answer.

Related Solutions

Ubuntu – How to prevent system applications (like the Software Center) from asking for password

Ubuntu Software Center authorization uses policy kit. When requested for the authentication during the remove action you can expand the "Details" pointer to see the action that is being invoked. It's org.debian.apt.install-or-remove-packages . You can change the corresponding policy to not request for authentication:

Edit /usr/share/polkit-1/actions/org.debian.apt.policy, search for org.debian.apt.install-or-remove-packages, then find for the defaults section, replace auth_admin and auth_admin_keep with yes .

Ubuntu – How to allow execution without prompting for password using sudo

You need to do the following, on the terminal type sudo visudo and add a line like this at the end of the file specifying the commands you want to run without typing the sudo password (I suggest you use each command you want to use in the program and not just allow all programs to be executed by this)

<yourusername> ALL=NOPASSWD: <command1>, <command2>

Now you can run the specified commands without password as long as you type that command with sudo.

ie: lets say you want to run shutdown -r now without having to type sudo password every time and your username is 'joedoe'

type sudo visudo on a terminal
Add joedoe ALL=NOPASSWD: /usr/sbin/shutdown -r now as a new line at the end of the file, use absolute paths to the program you are trying to use.
on your program you can then use sudo shutdown -r now without having to type the sudo password.

You can find the absolute path to a program by using which <program name> on a terminal.

Its a very dirty trick wish leaves your system open for other dangers but I am guessing you know what you are doing and want this.

Edit

You really need to make sure that the permitions you are setting are at the end of the file so that nothing is overwritten by the groups permissions.

Best Answer

Related Solutions

Ubuntu – How to prevent system applications (like the Software Center) from asking for password

Ubuntu – How to allow execution without prompting for password using sudo

Related Question