Ubuntu – How to run specific sudo commands without a password

passwordsudo

On one particular machine I often need to run sudo commands every now and then.
I am fine with entering password on sudo in most of the cases.

However there are three sudo commands I want to run without entering password:

  • sudo reboot
  • sudo shutdown -r now
  • sudo shutdown -P now

How can I exclude these commands from password protection to sudo?

Best Answer

Use the NOPASSWD directive

You can use the NOPASSWD directive in your /etc/sudoers file.

If your user is called user and your host is called host you could add these lines to /etc/sudoers:

user host = (root) NOPASSWD: /sbin/shutdown
user host = (root) NOPASSWD: /sbin/reboot

This will allow the user user to run the desired commands on host without entering a password. All other sudoed commands will still require a password.

The commands specified in the sudoers file must be fully qualified (i.e. using the absolute path to the command to run) as described in the sudoers man page. Providing a relative path is considered a syntax error.

If the command ends with a trailing / character and points to a directory, the user will be able to run any command in that directory (but not in any sub-directories therein). In the following example, the user user can run any command in the directory /home/someuser/bin/:

user host = (root) NOPASSWD: /home/someuser/bin/

Note: Always use the command visudo to edit the sudoers file to make sure you do not lock yourself out of the system – just in case you accidentally write something incorrect to the sudoers file. visudo will save your modified file to a temporary location and will only overwrite the real sudoers file if the modified file can be parsed without errors.

Using /etc/sudoers.d instead of modifying /etc/sudoers

As an alternative to editing the /etc/sudoers file, you could add the two lines to a new file in /etc/sudoers.d e.g. /etc/sudoers.d/shutdown. This is an elegant way of separating different changes to the sudo rights and also leaves the original sudoers file untouched for easier upgrades.

Note: Again, you should use the command visudo to edit the file to make sure you do not lock yourself out of the system:

sudo visudo -f /etc/sudoers.d/shutdown 

This also automatically ensures that the owner and permissions of the new file is set correctly.

If sudoers is messed up

If you did not use visudo to edit your files and then accidentally messed up /etc/sudoers or messed up a file in /etc/sudoers.d then you will be locked out of sudo.

The solution could be to fix the files using pkexec which is an alternative to sudo.

To fix /etc/sudoers:

pkexec visudo

To fix /etc/sudoers.d/shutdown:

pkexec visudo -f /etc/sudoers.d/shutdown

If the ownership and/or permissions are incorrect for any sudoers file, the file will be ignored by sudo so you might also find yourself locked out in this situation. Again, you can use pkexec to fix this.

The correct permissions should be like this:

$ ls -l /etc/sudoers.d/shutdown 
-r--r----- 1 root root 86 Jul 16 15:37 /etc/sudoers.d/shutdown

Use pkexec like this to fix ownership and permissions:

pkexec chown root:root /etc/sudoers.d/shutdown
pkexec chmod 0440 /etc/sudoers.d/shutdown
Related Question