Thursday, November 26, 2009

sudo without password

"Sudo" is a great security enhancement: Instead of having an active root account that could possibly be exploited, even remotely, and another password that could be forgotten, sudo lets you run specific commands with root privileges. There's a lot more to it, so I highly recommend you read the man pages for sudo, sudo_root and sudoers.

On some systems, under certain circumstances, a tradeoff between security and convenience can be made by lowering security a little to raise convenience a bit - by allowing sudo usage for specific users without requiring a password. For example, on a secure server without passwords (accessed only through SSH with pubkey authentication), sudo without password is an interesting option.

The normal way to set it up would be to edit the sudo configuration file /etc/sudoers using the visudo command (which would be run with sudo: sudo visudo). There's already an uncommented section which would allow members of the group "sudo" to not need a password, but it's overriden by the later entry which lets members of the "admin" group gain root privileges, so it needs to be added at the very end of this file.

Using visudo to edit /etc/sudoers is recommended because it properly locks the file to prevent simultaneous edits and does basic sanity checking (a corrupt sudoers file could prevent you from gaining root privileges and lock you out of your system if the root account is locked - as it should be). However, I prefer to enable sudo without password running a one-liner command:

sudo sed -i~ '$a\\n%sudo ALL=NOPASSWD: ALL' /etc/sudoers

This command appends "%sudo ALL=NOPASSWD: ALL" to the end of /etc/sudoers - which you would otherwise have to do manually.

Now all members of the group "sudo" will be able to use sudo without a password. By default, the "sudo" group is empty, so you'll want to at least add yourself to this group:

sudo adduser "$USER" sudo

Another possibility would be to use the "admin" group instead of the group "sudo" - then the one-liner would look like this:

sudo sed -i~ 's/%admin ALL=(ALL) ALL/%admin ALL=NOPASSWD: ALL/' /etc/sudoers

Since you're already part of the "admin" group, that's the only command you'd need to run.

No comments:

Post a Comment