Preface
This is a fairly complex question related to the Sudoers file and the sudo command in general.
NOTE: I have made these changes on a dedicated machine running Ubuntu Desktop 13.04, that I use purely for learning purposes. I understand it's a huge security risk to enable NOPASSWD sudo.
Question
Initially, my only change to the sudoers file (/etc/sudoers) was one line, a user specification that should have enabled 'nicholsonjf' to run all commands with sudo without having to enter a password (see the line that starts with 'nicholsonjf'):
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
nicholsonjf ALL=NOPASSWD: ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d
However, this did not work, and I was still prompted for my password every time I ran a command as 'nicholsonjf'. I was only able to start running sudo commands as 'nicholsonjf' once I removed 'nicholsonjf' from the sudo and admin groups.
Can anyone explain why this worked?
Is it because the user 'nicholsonjf' was inheriting sudo rights from the two group specifications of 'admin' and 'sudo' (seen below in the sudoers file), which were overriding the 'nicholsonjf' user specification because they were further down in the config file?
Best Answer
The line you added was overridden. From
man sudoers
:In your case
nicholsonjf
was a member of the groupsudo
so for him this line applied:If you want to override entries in
/etc/sudoers
just put the new entries after them.The new entry should look like
myuser ALL=(ALL) NOPASSWD: ALL
for a single user, or%sudo ALL=(ALL) NOPASSWD: ALL
for a group.