?
Solved

Linux executing sudo without password

Posted on 2011-05-03
49
Medium Priority
?
777 Views
Last Modified: 2012-05-11
Hi,

I am executing a sudo blah blah command through perl script on the linux ubuntu 10.11 shell. Everytime it asks me for a password for user anand.
I tried editing the sudoers file in /etc/sudoers and the file looks as shown below.

#!/usr/local/bin/perl

use strict;
use warnings;

my $dir = '/home/anand/exinda/automate/tests/SwiftTest//tc001246/Automation/Results';

opendir DIR, $dir or die "could not open $dir dir: $!";
#my @dirs = grep { -d $_ } readdir DIR;
my @dirs = readdir DIR;
closedir DIR;

foreach my $d((@dirs)) {
    if ($d eq ".." || $d eq ".") {
        next;
    }

    opendir DIR, "$dir/$d" or die "could not open $dir/$d dir: $!";
    my @files = readdir DIR;
    closedir DIR;
    print "found the files:\n", join("\n", @files), "\n";
}

This works in the same terminal. However if i open a different again it prompts me for a password. How do i get rid of this password pormpt everytime.

Kindly help.

Regards,
Anand.

0
Comment
Question by:anand_sridharan
  • 19
  • 15
  • 7
  • +2
49 Comments
 
LVL 16

Expert Comment

by:Joseph Gan
ID: 35612747
This looks not the sudoers file to me. This looks like a perl script.

Normally you need to put user anand in /etc/sudoers, ie.

anand   ALL=(ALL)  ALL
0
 

Author Comment

by:anand_sridharan
ID: 35614750
OOOOps... sorry about that..


# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#

Defaults    env_reset

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL) ALL
anand   ALL=NOPASSWD: ALL

# Allow members of group sudo to execute any command
# (Note that later entries override this, so you might need to move
# it further down)
%sudo ALL=(ALL) ALL
#
#includedir /etc/sudoers.d

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
0
 
LVL 81

Expert Comment

by:arnold
ID: 35618634
can you run id anand?
If you are a member of multiple groups (sudo,admin), you will be prompted for a password because of the settings for these groups which require a password.

0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:anand_sridharan
ID: 35619488
Here is the output of "id" command

anand@anand-OptiPlex-980:~$ id anand
uid=1000(anand) gid=1000(anand) groups=1000(anand),0(root),119(admin)

So should I remove anand from any of the groups?

- A -
0
 
LVL 16

Expert Comment

by:Joseph Gan
ID: 35621745
You are in "root" and "admin" groups, so you should remove "anand   ALL=NOPASSWD: ALL" in /etc/sudoers file.
0
 

Author Comment

by:anand_sridharan
ID: 35623544
Ganjos,

That didn't work.  I removed and tried from another linux terminal but it's asking for password. Thanks.

-A-
0
 
LVL 16

Expert Comment

by:Joseph Gan
ID: 35626572
In new terminal you need to enter password once, then rest should be passwd free. Is that correct?
0
 
LVL 81

Expert Comment

by:arnold
ID: 35627265
Are you using visudo (/usr/sbin/visudo) to make the changes to the configuration?

I thought you may need to, but tested it and it seems that the more specific (per user) overrides the group (%groupname)
altough the user with which I was testing has a UID < 1000.
0
 
LVL 16

Expert Comment

by:Joseph Gan
ID: 35628721
Try this:

anand  ALL = (root) NOPASSWD: ALL
0
 

Author Comment

by:anand_sridharan
ID: 35653681
Hi,

Ok.. What I am trying to achieve is..In my test automation whenever I kick off a test on my linux (ubuntu) box the tests should start running without asking for password. Not even once. To kck of a test case I issue a sudo command through perl script which prompts me for password presently.

I tried editing throgh visudo i couldn't achieve this.

I tried the ganjos solution I couldnt' achieve this. Is this achievable at all.

-A-
0
 
LVL 4

Expert Comment

by:florjan
ID: 35678768
anand ALL=(ALL) ALL NO PASSWD: ALL
Does this work?
0
 
LVL 20

Expert Comment

by:simon3270
ID: 35688411
I've just added the following to sudoers:

   simon ALL=(ALL) NOPASSWD: ALL

on Ubuntu 10.04 and it lets me (username = "simon") run commands without a password.

It might be worth moving the line to the bottom of the file.
0
 
LVL 20

Expert Comment

by:simon3270
ID: 35688804
By the way, please do this through visudo, not by editing the sudoers file directly - visudo not only locks the file so that only one person can edit it at a time, but it also validates the contents before it tries to use them.
0
 
LVL 81

Expert Comment

by:arnold
ID: 35689604
Since you have sudo rights, it is wasteful then not to elevate your rights and configure/setup the test script to run as root from the get go as opposed to start with a limited/restricted user and then run sudo to elevate ones rights.

If you have access to both a truck and a small car, you would pick one to do the job, you would not start with the car and then sometime through the process switch to the truck.

0
 
LVL 20

Expert Comment

by:simon3270
ID: 35689705
If I had access to a whittling knife and a chainsaw, I'd use the chainsaw to chop the tree into chunks, and the knife to carve a chunk into a duck.  Being root for longer than necessary is like trying to whittle with a chainsaw.  (Yes, I know that there are people who whittle with a chainsaw, but it is very difficult, takes a long time to get it right, and it is so easy to end up with a headless duck!)
0
 
LVL 81

Expert Comment

by:arnold
ID: 35689793
Simon, was that meant to counter my analogy?
administrative scripts/tasks should be run with administrative rights.
Or as the user that has access to the data which all can be setup without the need to run a script as the admin and then elevate rights for individual tasks.
I'll skip another analogy and spare you ......

0
 
LVL 20

Expert Comment

by:simon3270
ID: 35689807
Your second point is the same as my analogy - do as many things as a normal user as you can, then become root to perform tasks which need to be root.
0
 

Author Comment

by:anand_sridharan
ID: 35695817
Hi,

So how do I run a command as root instead of user "anand" in my case?

-A-
0
 
LVL 81

Expert Comment

by:arnold
ID: 35695823
What is the command that you want to run?
What is the task that you want the script to perform?
0
 

Author Comment

by:anand_sridharan
ID: 35695861
Currently from my perl script i issue a command as follows


$ret = system("sudo ./execute_tests");

When perl hits this statement I am prompted for a password Since there was a suggestion earlier from one of you to run this command as root, I wanted to know how to do the same. There is only one user in my system which is me (anand). I want to trigger the test cases without the need for typing a password. Am I still confusing you? Please let me know.

-A-
0
 
LVL 81

Assisted Solution

by:arnold
arnold earned 100 total points
ID: 35699555
Why not run the execute_tests from cron of a root user?
If you want to see the output, you may want to either log to a file where your user can view it, or into a database(mysql) etc.

A sudo with nopasswd, is a security risk given that anyone who gets to the terminal and runs sudo bash gets elevated shell, you could create a separate user with no password, but restricted to running a specific task, i.e. execute_tests.
0
 
LVL 20

Assisted Solution

by:simon3270
simon3270 earned 100 total points
ID: 35699993
You could still use sudo, but replace the last ALL on the line with a list of the commands that you want to allow.  For example, I had this when I was experimenting with sudo a while ago:

  simon ALL=(ALL) NOPASSWD: /usr/bin/vi, /home/simon/execute.sh

You have to be careful which commands you allow - if, for example, you do allow /usr/bin/vi, the user can get a shell by just entering :sh when they are in vi.  Also put the full path in - when sudo tries to find the command it is running, it uses a minimal PATH, so wouldn't find the execute.sh here - specify it as "sudo /home/simon/execute.sh".
0
 

Author Comment

by:anand_sridharan
ID: 35716894
Hi,

Whatever I do it looks like I will be prompted for password atleast once. All the options work only if I run the command in the same window. If I open a different terminal and then I am prompted for password. Not sure how to avoid this. May be if I don't get any solution today I will close this question. Thanks to everyone.

-A-
0
 
LVL 16

Assisted Solution

by:Joseph Gan
Joseph Gan earned 100 total points
ID: 35716929
Sound is normal to me, ie. if you run as user first teim in a terminal, will prompt you password once. Because this is a security enhancement, if the user be compermised, the account can run anything as root on ther server. However, if run command/script as root, shouldn't need any password.
0
 

Author Comment

by:anand_sridharan
ID: 35717120
Hi,

So how to run this command as a root. I have only one user account in my ubuntu.

Regards,
Anand.
0
 
LVL 16

Expert Comment

by:Joseph Gan
ID: 35717129
From
$ sudo command/script.sh
To
# command/script.sh
0
 

Author Comment

by:anand_sridharan
ID: 35717262
Hi,
I guess I wasn't clear with my previous question.  How do I log in as root? I don't know what is the password for root if I do a su command? I am a little new to linux administration so please excuse me if I am being silly. :)

Currently my login prompt is ....$> ..How do I get the # prompt without issuing a su command


-A-
0
 
LVL 16

Expert Comment

by:Joseph Gan
ID: 35717282
I thought you have a "root" password from your last "id" command:
$ id anand
uid=1000(anand) gid=1000(anand) groups=1000(anand),0(root),119(admin)

You login as yourself, ie anand, then
$ /bin/su -

To root, you need root password. Then will give you
#
0
 

Author Comment

by:anand_sridharan
ID: 35717386
But I don't know what is my root password. I don't remember setting one. I set just one user name in  my ubuntu linux 10.10.

0
 
LVL 16

Expert Comment

by:Joseph Gan
ID: 35717476
You either need to recover root password, or run sudo as a user.
0
 

Accepted Solution

by:
anand_sridharan earned 0 total points
ID: 35717668
Ok then.. Looks like I have to think someother way out.. thanks for all your help..

-A-
0
 
LVL 20

Expert Comment

by:simon3270
ID: 35718142
Anad,

Just to make sure we haven't missed anything, could you please post your current /etc/sudoers file?

Thanks,
Simon
0
 
LVL 20

Expert Comment

by:simon3270
ID: 35718698
The other thing to check is your /etc/pam.d/sudo file (if you have one) - that may require at least one password per session.
0
 

Author Comment

by:anand_sridharan
ID: 35725614
My sudoers file below:

# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#

Defaults        env_reset

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL) ALL
anand  ALL =(ALL) NOPASSWD: /home/anand/test/run.exe


# Allow members of group sudo to execute any command
# (Note that later entries override this, so you might need to move
# it further down)
%sudo ALL=(ALL) ALL
#
#includedir /etc/sudoers.d

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
0
 
LVL 16

Expert Comment

by:Joseph Gan
ID: 35725650
One more thing to try:

$ id anand
uid=1000(anand) gid=1000(anand) groups=1000(anand),0(root),119(admin)

Add your gid to admin group, and change last line of /etc/sudoers file to be:

%admin ALL =(ALL) NOPASSWD: /home/anand/test/run.exe



0
 

Author Comment

by:anand_sridharan
ID: 35725692
Hi,

Sorry but how do I add my gid to admin group?

-A-
0
 
LVL 16

Expert Comment

by:Joseph Gan
ID: 35725736
useradd -G admin -u anand
0
 

Author Comment

by:anand_sridharan
ID: 35725747
I am getting this error message

anand@anand-OptiPlex-980:~$ id
uid=1000(anand) gid=1000(anand) groups=1000(anand),0(root),119(admin)
anand@anand-OptiPlex-980:~$ useradd -G admin -u anand
useradd: invalid user ID 'anand'
anand@anand-OptiPlex-980:~$
0
 
LVL 16

Expert Comment

by:Joseph Gan
ID: 35725766
useradd -G admin -u 1000
0
 

Author Comment

by:anand_sridharan
ID: 35725776
Still I am not getting the desired result. It displays me the help menu...


anand@anand-OptiPlex-980:~$ useradd -G admin -u 1000
Usage: useradd [options] LOGIN

Options:
  -b, --base-dir BASE_DIR       base directory for the home directory of the
                                new account
  -c, --comment COMMENT         GECOS field of the new account
  -d, --home-dir HOME_DIR       home directory of the new account
  -D, --defaults                print or change default useradd configuration
  -e, --expiredate EXPIRE_DATE  expiration date of the new account
  -f, --inactive INACTIVE       password inactivity period of the new account
  -g, --gid GROUP               name or ID of the primary group of the new
                                account
  -G, --groups GROUPS           list of supplementary groups of the new
                                account
  -h, --help                    display this help message and exit
  -k, --skel SKEL_DIR           use this alternative skeleton directory
  -K, --key KEY=VALUE           override /etc/login.defs defaults
  -l, --no-log-init             do not add the user to the lastlog and
                                faillog databases
  -m, --create-home             create the user's home directory
  -M, --no-create-home          do not create the user's home directory
  -N, --no-user-group           do not create a group with the same name as
                                the user
  -o, --non-unique              allow to create users with duplicate
                                (non-unique) UID
  -p, --password PASSWORD       encrypted password of the new account
  -r, --system                  create a system account
  -s, --shell SHELL             login shell of the new account
  -u, --uid UID                 user ID of the new account
  -U, --user-group              create a group with the same name as the user
  -Z, --selinux-user SEUSER     use a specific SEUSER for the SELinux user mapping

anand@anand-OptiPlex-980:~$

0
 
LVL 16

Expert Comment

by:Joseph Gan
ID: 35725797
Who created your account and sudoers file?
0
 
LVL 16

Expert Comment

by:Joseph Gan
ID: 35725811
useradd -G admin anand
0
 

Author Comment

by:anand_sridharan
ID: 35725830
nand@anand-OptiPlex-980:~$ useradd -G admin anand
useradd: user 'anand' already exists
anand@anand-OptiPlex-980:~$

I created user anand when I installed ubuntu 10.10. Sudoers file was there already after installation.
0
 
LVL 16

Expert Comment

by:Joseph Gan
ID: 35725879
Is there "root" account when you installed, recover root password is easy. Just boot the server from installation CD/DVD in "recover" mode, mount the /root partition to /mnt. Then remove root password in /mnt/etc/shadow and save. Then reboot you machin, you have a root account without password.
0
 

Author Comment

by:anand_sridharan
ID: 35725937
Yes. root account is there but asking for some password which I never set up when i say "su". Let me try and get back to you.

But isn't a root account without a password dangerous? Is there a way to reset the password rather than a password-less root account?
0
 
LVL 16

Expert Comment

by:Joseph Gan
ID: 35725951
Once you recovered, after you login, just reset root password as:
# passwd root
0
 
LVL 81

Expert Comment

by:arnold
ID: 35725979
Your account anand, is limited to running one command, your rights are derived from the admin group.
Change
%admin ALL=NOPASSWD: ALL
And you will no longer be prompted for a password.
The default for root after install is not to have a password i.e. sudo bash; grep root /etc/passwd and /etc/shadow will likely reflect !!. You can set the root's password in the elevated mode using passwd root.
There is no point in trying to recover a password that was not set.
0
 

Author Comment

by:anand_sridharan
ID: 35726081
Hurray!!! This worked. Thankyou Arnold.. Now I can execute the command without password in any terminal. Thanks for all your help.
0
 

Author Closing Comment

by:anand_sridharan
ID: 35752658
I wish I had other another alternative solution to achieve what I wanted to. Looks like I have to dig it out from somewhere.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension (http://www.experts-exchange.com/discussions/210281/Attachments-with-no-extension.html). This reminded me of questions tha…
In part one, we reviewed the prerequisites required for installing SQL Server vNext. In this part we will explore how to install Microsoft's SQL Server on Ubuntu 16.04.
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Suggested Courses
Course of the Month16 days, 8 hours left to enroll

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question