2

There is plenty of information on how to make sudo not prompt for passwords (NOPASSWD).

Let's say I have user alice, and this line in my sudoers:

alice ALL=(root) NOPASSWD: /bin/myadmintool

This works just fine. The user can run sudo /bin/myadmintool and do stuff.

However, if the user were to do this:

sudo /bin/bash

This is what happens:

$ sudo /bin/bash We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. Password: Sorry, user alice is not allowed to execute '/bin/bash' as root on myhostname.

What I would like to happen is for sudo to jump directly to:

Sorry, user alice is not allowed to execute '/bin/bash' as root on myhostname.

... without the password prompt.

How can I express this in the sudoers file, just for this user?

Improve this question
1
  • I don't think is possible Commented Jun 17, 2014 at 21:20

2 Answers 2

Reset to default
4

After some closer reading of the sudoers man page, I did find a working solution!

My sudoers config for alice looks like this:

Defaults:alice !authenticate alice ALL=(root) NOPASSWD: /bin/myadmintool

Keep in mind, this will essentially set NOPASSWD for ALL of alice's sudo lines. In my case, this was the intention.

Further Details

The authenticate option is defined in the manual as:

authenticate

If set, users must authenticate themselves via a password (or other means of authentication) before they may run commands. This default may be overridden via the PASSWD and NOPASSWD tags. This flag is on by default.

The Defaults option lets you define a user, group, host list, etc, as per:

Default_Type ::= 'Defaults' | 'Defaults' '@' Host_List | 'Defaults' ':' User_List | 'Defaults' '!' Cmnd_List | 'Defaults' '>' Runas_List

Since authenticate is a boolean configuration option, it can be negated/set to false by doing !authenticate.

Improve this answer
1

As workaround you can use a non-interactive mode:

sudo -n echo test
sudo: a password is required

You can make alias for this user:

alias sudo='sudo -n'

Improve this answer
2
  • yeah, but that is not configurable on sudoers, where the OP expects an answer. Commented Jun 17, 2014 at 21:22
  • @Marcel, that's why i said "workaround". It seems there is no way to make it through sudoers file. Commented Jun 17, 2014 at 21:34

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.