215

How can passwordless sudo access be setup on either RHEL (Fedora, CentOS, etc) or Ubuntu distributions? (If it's the same across distros, that's even better!)

Setting: personal and/or lab/training equipment with no concern for unauthorized access (ie, the devices are on non-public networks, and any/all users are fully trusted, and the contents of the devices are "plain-vanilla").

warren
  • 18,727
  • 23
  • 85
  • 135
  • 2
    The answer from @Richipal is actullay the one working best with the least effort: it seems sudoers rules apply in reverse order. – a1an Jun 04 '15 at 12:27
  • 3
    @a1an rules are applied in the same order as listed in the sudoers file, and as they are applied they kind of override each other. Hence if I do not want a rule to change at all I would put it towards the end of file so that it is applied at the last and cannot be overridden. – rsjethani Sep 04 '16 at 09:59

8 Answers8

231

I'm switching this around a little bit from previous versions of this answer. I would suggest one of three approaches:

  • Recommended: make a group of users who can use sudo without a password:

    %wheel         ALL = (ALL) NOPASSWD: ALL

    and add all user accounts which people might use to this group.

  • Secure-ish but annoying: grant passwordless sudo access to an explicit list of users:

    User_Alias     EVERYONE = user1, user2, user3, ...
EVERYONE       ALL = (ALL) NOPASSWD: ALL

    but you will have to edit the sudo configuration each time you want to change which users have access.

  • Insecure: if you really want to give all user accounts passwordless sudo access, thanks to a comment by medina, you can write

    ALL            ALL = (ALL) NOPASSWD: ALL

In each case, the lines in the code block should be added to /etc/sudoers (using the visudo command, of course, which will ensure that you haven't made any syntax errors), or to a file under /etc/sudoers.d if your system is set up to include those files in the sudo configuration (thanks Xetius). Note that lines in the sudo configuration are processed in order from top to bottom and later ones override earlier ones, so if you want to avoid something else overriding this, you should put it toward the end (thanks a1an).

The reason I recommend using a group rather than granting blanket passwordless sudo access to all users - even though I know that's what the question was asking for - is that, especially in the modern world, a significant security risk comes from compromise of other services running on the system. Sure, you might be able to totally trust all the real people who have access, but do you trust the mail server? The system logger? The Docker daemon? Whatever other services are running on the machine? And more to the point, do you trust whatever random person on the internet might have exploited a vulnerability in one of these services to make it do things? Giving passwordless sudo access to all users means that anyone who hacks into one of those services in a way that lets them execute commands can jump right to running commands as root, which probably means total compromise of the system. It's true that denying them access to sudo doesn't necessarily mean they can't compromise the system anyway, but you can at least make it harder for them.

Of course, different systems have different needs, and you might very well be in a situation where you really can trust that nobody will get the wrong kind of access to this computer, or that there is really nothing too bad anyone could do if they did. But at least stop to think about it. And when in doubt, it's better to limit access by default, because it sometimes turns out that you can't trust your system as much as you think you can, and if something does go wrong, it's going to be too late.

David Z
  • 5,595
  • 2
    Doesn't ALL work rather than * to specify all users? See the example in sudoers(5). – medina Jul 15 '10 at 10:58
  • 1
    @medina: so it does, I missed that when I was reading the man page. I'll edit. – David Z Jul 15 '10 at 17:26
  • 7
    under Ubuntu, creating a file under /etc/sudoers.d and put these entries in it then it will stop you having to edit sudoers – Xetius Oct 28 '12 at 20:18
  • 1
    In CentOS7, this entry is there by default, just commented out. – killjoy Apr 28 '18 at 10:22
  • 1
    Only managed to use it in centOS by copy/pasting, failed every attempts to type directly the configuration. But the result seems identical except for spaces... – MUY Belgium Jun 28 '18 at 08:31
  • Note that you might need to log out and then log in for the changes to take effect – sjking Apr 06 '20 at 04:56
  • will this make it so, say NOBODY also has sudo access, or is this limited to users in the sudo group? – Ninjaxor Oct 04 '23 at 17:07
  • @Ninjaxor I'm not quite sure what you mean, but this answer provides a way to give sudo access to any set of users. I don't think you can use it to prevent users from having sudo access if they would otherwise have it according to a different part of the configuration file, if that's what you were getting at. – David Z Oct 04 '23 at 18:43
152

I tried the solutions above to no avail. The following solution worked for me Edit the /etc/sudoers file and add the following line

username ALL=(ALL) NOPASSWD: ALL

The key is to add it after the last line which says 

#includedir /etc/sudoers.d
Richipal
  • 1,621
  • 1
  • 10
  • 2
  • 1
    // , This looks like the better way to do it, especially when certain applications will add their own rules for system users, Richipal. More info on sudoers.d: http://www.sudo.ws/man/1.8.13/sudoers.man.html – Nathan Basanese Aug 27 '15 at 17:18
  • 6
    The issue with ignoring %wheel's NOPASSWD seems to arise from /etc/sudoers.d/USERNAME overriding the group's NOPASSWD permission. Applying NOPASSWD in /etc/sudoers.d/USERNAME resolves the problem. – eel ghEEz Jul 31 '17 at 15:03
  • 3
    Big ups to this one, after the include is important – Theodore Howell Apr 08 '19 at 17:50
  • 1
    Very questionable to have #include be a special syntax in a #-commented config file... – phil294 Jun 26 '19 at 10:55
32

I tried all the answers on this page, with no useful results. Eventually I figured it out, use this command to list your sudo rights:

sudo -l

This should give you an output like this:

User gmurphy may run the following commands on this host:
    (root) NOPASSWD: ALL
    (ALL) ALL

It shows that I'm configured with root privileges but that I'm still part of a group (admin) matched to a sudo rule which expects the password ("(ALL) ALL"). This was forcing sudo to prompt me. The rule in question was the admin users:

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

Once I commented this out, I was able to sudo without password. I hope this is of use to someone else.

Gearoid Murphy
  • 428
  • 1
    Ahhh, thanks! This was driving me nuts... in my case, my user was part of the "sudo" group as well as "admin" (which I created), and the permissions on each were mis-matched, as they were in your case. Now this stuff works! :) – neezer May 06 '12 at 22:28
  • 16
    Commenting a line out is a blunt instrument. You may be interested to hear that "sudo reads the sudoers file and applies permissions in order from top to bottom. So the last line in the file will overwrite any previous conflict" according to http://ubuntuforums.org/showthread.php?t=1132821 -- and this worked for me. – David J. Jan 15 '13 at 04:08
12

Within /etc/sudoers there's an example of just that towards the bottom of the file:

## Same thing without a password
# %wheel        ALL=(ALL)       NOPASSWD: ALL
Ignacio Vazquez-Abrams
  • 46,517
6

There is another way to do it without touching the sudoers file.

  • Edit /etc/pam.d/su and uncomment the line below:

    auth           sufficient      pam_wheel.so trust use_uid

  • Add the user to the wheel group.

Daniel Serodio
  • 273
topdog
  • 3,530
  • 17
  • 13
3

This is an old thread, but it's interesting that no one has added the system default authenticate to this answer list. Using an entry of

Defaults  !authenticate

In the sudoers file would allow any user to use their defined sudo commands without any password authentication. It's part of the default sudo specification and is portable across all platforms, as specified in the OP. And, if you need to scope it to a specific user, try

Defaults:<user_name>  !authenticate
Thomas N
  • 435
2

There is another way to do it without touching the sudoers file.

  • Edit /etc/pam.d/sudo and add the line below:

    auth           sufficient      pam_wheel.so trust use_uid

  • Add the user to the wheel group.

Props to "topdog" and "Daniel Serodio" for the original answer with regard to "su" rather than "sudo". I used that as a reference and shamelessly copied, and amended, their post.

Community
  • 1
noabody
  • 41
  • 1
    I think instead of copying verbatim, it would be better to credit them, but be clear about how exactly your answers differ. I assume this allows passwordless su, instead of/as well as passwordless sudo? Daniel's addition is just formatting, by the way. – mwfearnley Aug 22 '18 at 10:01
1
echo -e "\n$USER ALL=(ALL) NOPASSWD: ALL\n" | sudo tee -a /etc/sudoers
sudo cat /etc/sudoers

reopen terminal, verify that you are not asked for your password:

sudo echo "it works!"
masterxilo
  • 129