The line you added was overridden. From man sudoers
:
When multiple entries match for a user, they are applied in order. Where there are multiple matches, the last match is used (which is not necessarily the most specific match).
In your case nicholsonjf
was a member of the group sudo
so for him this line applied:
%sudo ALL=(ALL:ALL) ALL
If you want to override entries in /etc/sudoers
just put the new entries after them.
The new entry should look like
myuser ALL=(ALL) NOPASSWD: ALL
for a single user, or
%sudo ALL=(ALL) NOPASSWD: ALL
for a group.
As this question says, /etc/sudoers
is a system-wide configuration file that can be automatically changed by system upgrades and is highly fragile to improper changes. You can potentially lose access or make your system unbootable with an improper change.
$ sudo cat /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
(... some other content ...)
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d
Contrary to what you might expect, the #includedir
directive is not a comment. It has the effect of causing sudo
to also read and parse any files in the /etc/sudoers.d
directory (that do not end in '~' or contain a '.' character).
$ ls -l /etc/sud*
-r--r----- 1 root root 755 sty 20 17:03 /etc/sudoers
/etc/sudoers.d:
total 7
-r--r----- 1 root root 958 mar 30 2016 README
$ sudo cat /etc/sudoers.d/README
#
# As of Debian version 1.7.2p1-1, the default /etc/sudoers file created on
# installation of the package now includes the directive:
#
# #includedir /etc/sudoers.d
#
# This will cause sudo to read and parse any files in the /etc/sudoers.d
# directory that do not end in '~' or contain a '.' character.
#
# Note that there must be at least one file in the sudoers.d directory (this
# one will do), and all files in this directory should be mode 0440.
#
# Note also, that because sudoers contents can vary widely, no attempt is
# made to add this directive to existing sudoers files on upgrade. Feel free
# to add the above directive to the end of your /etc/sudoers file to enable
# this functionality for existing installations if you wish!
#
# Finally, please note that using the visudo command is the recommended way
# to update sudoers content, since it protects against many failure modes.
# See the man page for visudo for more information.
#
Unlike /etc/sudoers
, the contents of /etc/sudoers.d
survive system upgrades, so it's preferrable to create a file there than to modify /etc/sudoers
.
You might want to edit files in this directory with the visudo
command:
$ sudo visudo -f /etc/sudoers.d/veracrypt
GNU nano 2.5.3 File: /etc/sudoers.d/veracrypt.tmp
# Users in the veracryptusers group are allowed to run veracrypt as root.
%veracryptusers ALL=(root) NOPASSWD:/usr/bin/veracrypt
Please note that visudo
may use a different editor instead of nano
as described at https://help.ubuntu.com/community/Sudoers
Here are a few more links that I found helpful:
Best Answer
It's not necessarily explicitly stored; which subset of commands you'd be able to run is inferred by how your
/etc/sudoers
is structured; and/etc/sudoers
doesn't necessarily need to address single users. I bet your/etc/sudoers
has this line in it?Which means in this case your privileges are inferred from the groups you belong to (namely, in this case,
sudo
).