Linux executing sudo without password

This looks not the sudoers file to me. This looks like a perl script.

Normally you need to put user anand in /etc/sudoers, ie.

anand   ALL=(ALL)  ALL

OOOOps... sorry about that..


# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#

Defaults    env_reset

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL) ALL
anand   ALL=NOPASSWD: ALL

# Allow members of group sudo to execute any command
# (Note that later entries override this, so you might need to move
# it further down)
%sudo ALL=(ALL) ALL
#
#includedir /etc/sudoers.d

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

can you run id anand?
If you are a member of multiple groups (sudo,admin), you will be prompted for a password because of the settings for these groups which require a password.

Here is the output of "id" command

anand@anand-OptiPlex-980:~$ id anand
uid=1000(anand) gid=1000(anand) groups=1000(anand),0(root),119(admin)

So should I remove anand from any of the groups?

- A -

You are in "root" and "admin" groups, so you should remove "anand   ALL=NOPASSWD: ALL" in /etc/sudoers file.

Ganjos,

That didn't work.  I removed and tried from another linux terminal but it's asking for password. Thanks.

-A-

In new terminal you need to enter password once, then rest should be passwd free. Is that correct?

Are you using visudo (/usr/sbin/visudo) to make the changes to the configuration?

I thought you may need to, but tested it and it seems that the more specific (per user) overrides the group (%groupname)
altough the user with which I was testing has a UID < 1000.

Try this:

anand  ALL = (root) NOPASSWD: ALL

Hi,

Ok.. What I am trying to achieve is..In my test automation whenever I kick off a test on my linux (ubuntu) box the tests should start running without asking for password. Not even once. To kck of a test case I issue a sudo command through perl script which prompts me for password presently.

I tried editing throgh visudo i couldn't achieve this.

I tried the ganjos solution I couldnt' achieve this. Is this achievable at all.

-A-

anand ALL=(ALL) ALL NO PASSWD: ALL
Does this work?

I've just added the following to sudoers:

   simon ALL=(ALL) NOPASSWD: ALL

on Ubuntu 10.04 and it lets me (username = "simon") run commands without a password.

It might be worth moving the line to the bottom of the file.

By the way, please do this through visudo, not by editing the sudoers file directly - visudo not only locks the file so that only one person can edit it at a time, but it also validates the contents before it tries to use them.

Since you have sudo rights, it is wasteful then not to elevate your rights and configure/setup the test script to run as root from the get go as opposed to start with a limited/restricted user and then run sudo to elevate ones rights.

If you have access to both a truck and a small car, you would pick one to do the job, you would not start with the car and then sometime through the process switch to the truck.

If I had access to a whittling knife and a chainsaw, I'd use the chainsaw to chop the tree into chunks, and the knife to carve a chunk into a duck.  Being root for longer than necessary is like trying to whittle with a chainsaw.  (Yes, I know that there are people who whittle with a chainsaw, but it is very difficult, takes a long time to get it right, and it is so easy to end up with a headless duck!)

Simon, was that meant to counter my analogy?
administrative scripts/tasks should be run with administrative rights.
Or as the user that has access to the data which all can be setup without the need to run a script as the admin and then elevate rights for individual tasks.
I'll skip another analogy and spare you ......

Your second point is the same as my analogy - do as many things as a normal user as you can, then become root to perform tasks which need to be root.

Hi,

So how do I run a command as root instead of user "anand" in my case?

-A-

What is the command that you want to run?
What is the task that you want the script to perform?

Currently from my perl script i issue a command as follows


$ret = system("sudo ./execute_tests");

When perl hits this statement I am prompted for a password Since there was a suggestion earlier from one of you to run this command as root, I wanted to know how to do the same. There is only one user in my system which is me (anand). I want to trigger the test cases without the need for typing a password. Am I still confusing you? Please let me know.

-A-

Hi,

Whatever I do it looks like I will be prompted for password atleast once. All the options work only if I run the command in the same window. If I open a different terminal and then I am prompted for password. Not sure how to avoid this. May be if I don't get any solution today I will close this question. Thanks to everyone.

-A-

Hi,

So how to run this command as a root. I have only one user account in my ubuntu.

Regards,
Anand.

From
$ sudo command/script.sh
To
# command/script.sh

Hi,
I guess I wasn't clear with my previous question.  How do I log in as root? I don't know what is the password for root if I do a su command? I am a little new to linux administration so please excuse me if I am being silly. :)

Currently my login prompt is ....$> ..How do I get the # prompt without issuing a su command


-A-

I thought you have a "root" password from your last "id" command:
$ id anand
uid=1000(anand) gid=1000(anand) groups=1000(anand),0(root),119(admin)

You login as yourself, ie anand, then
$ /bin/su -

To root, you need root password. Then will give you
#

But I don't know what is my root password. I don't remember setting one. I set just one user name in  my ubuntu linux 10.10.

You either need to recover root password, or run sudo as a user.

Anad,

Just to make sure we haven't missed anything, could you please post your current /etc/sudoers file?

Thanks,
Simon

The other thing to check is your /etc/pam.d/sudo file (if you have one) - that may require at least one password per session.

My sudoers file below:

# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#

Defaults        env_reset

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL) ALL
anand  ALL =(ALL) NOPASSWD: /home/anand/test/run.exe


# Allow members of group sudo to execute any command
# (Note that later entries override this, so you might need to move
# it further down)
%sudo ALL=(ALL) ALL
#
#includedir /etc/sudoers.d

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

One more thing to try:

$ id anand
uid=1000(anand) gid=1000(anand) groups=1000(anand),0(root),119(admin)

Add your gid to admin group, and change last line of /etc/sudoers file to be:

%admin ALL =(ALL) NOPASSWD: /home/anand/test/run.exe

Hi,

Sorry but how do I add my gid to admin group?

-A-

useradd -G admin -u anand

I am getting this error message

anand@anand-OptiPlex-980:~$ id
uid=1000(anand) gid=1000(anand) groups=1000(anand),0(root),119(admin)
anand@anand-OptiPlex-980:~$ useradd -G admin -u anand
useradd: invalid user ID 'anand'
anand@anand-OptiPlex-980:~$

useradd -G admin -u 1000

Still I am not getting the desired result. It displays me the help menu...


anand@anand-OptiPlex-980:~$ useradd -G admin -u 1000
Usage: useradd [options] LOGIN

Options:
  -b, --base-dir BASE_DIR       base directory for the home directory of the
                                new account
  -c, --comment COMMENT         GECOS field of the new account
  -d, --home-dir HOME_DIR       home directory of the new account
  -D, --defaults                print or change default useradd configuration
  -e, --expiredate EXPIRE_DATE  expiration date of the new account
  -f, --inactive INACTIVE       password inactivity period of the new account
  -g, --gid GROUP               name or ID of the primary group of the new
                                account
  -G, --groups GROUPS           list of supplementary groups of the new
                                account
  -h, --help                    display this help message and exit
  -k, --skel SKEL_DIR           use this alternative skeleton directory
  -K, --key KEY=VALUE           override /etc/login.defs defaults
  -l, --no-log-init             do not add the user to the lastlog and
                                faillog databases
  -m, --create-home             create the user's home directory
  -M, --no-create-home          do not create the user's home directory
  -N, --no-user-group           do not create a group with the same name as
                                the user
  -o, --non-unique              allow to create users with duplicate
                                (non-unique) UID
  -p, --password PASSWORD       encrypted password of the new account
  -r, --system                  create a system account
  -s, --shell SHELL             login shell of the new account
  -u, --uid UID                 user ID of the new account
  -U, --user-group              create a group with the same name as the user
  -Z, --selinux-user SEUSER     use a specific SEUSER for the SELinux user mapping

anand@anand-OptiPlex-980:~$

Who created your account and sudoers file?

useradd -G admin anand

nand@anand-OptiPlex-980:~$ useradd -G admin anand
useradd: user 'anand' already exists
anand@anand-OptiPlex-980:~$

I created user anand when I installed ubuntu 10.10. Sudoers file was there already after installation.

Is there "root" account when you installed, recover root password is easy. Just boot the server from installation CD/DVD in "recover" mode, mount the /root partition to /mnt. Then remove root password in /mnt/etc/shadow and save. Then reboot you machin, you have a root account without password.

Yes. root account is there but asking for some password which I never set up when i say "su". Let me try and get back to you.

But isn't a root account without a password dangerous? Is there a way to reset the password rather than a password-less root account?

Once you recovered, after you login, just reset root password as:
# passwd root

Your account anand, is limited to running one command, your rights are derived from the admin group.
Change
%admin ALL=NOPASSWD: ALL
And you will no longer be prompted for a password.
The default for root after install is not to have a password i.e. sudo bash; grep root /etc/passwd and /etc/shadow will likely reflect !!. You can set the root's password in the elevated mode using passwd root.
There is no point in trying to recover a password that was not set.

Hurray!!! This worked. Thankyou Arnold.. Now I can execute the command without password in any terminal. Thanks for all your help.

I wish I had other another alternative solution to achieve what I wanted to. Looks like I have to dig it out from somewhere.