sudo without password


3 min read
linux
security

I’ve recently run into deployment scenarios where I need to have a unprivileged user account execute something privileged like restarting nginx. Sure, I could just do things with the root account, but most of my deployments are done via SSH commands and I don’t allow root logins directly on my servers. I went ahead and skipped Google this time and just went straight to the man page for “sudoers” and was able to get some answers.

How to edit sudoers

The preferred way to edit the sudoers is by way of visudo. The command does require sudo or to be ran directly from a superuser account. You could simply run vim /etc/sudoers as well but this does not provide the locking mechanism that visudo does to safeguard against simultaneous edits. The following examples are edits that need to be made inside /etc/sudoers.

Now that we know how to edit the sudoers file, let’s take a look at a few different ways to go about configuring it. Keep in mind that the first couple of setups are simply for documentation purposes and I don’t recommend using them at all.

If you only allow logging in with a key and that key is compromised, the attacker would then have full access to the server if you had passwordless sudo enabled for that user. Keeping passwords enabled means the attacker would need to get through both layers of security. Add in IP whitelisting and you have another layer as well. Shit happens, just ask Sony ;)

All users in a group

This particular setup is the least secure in my opinion as it allows any users that have sudo access to do so without ever entering their password. The following example would grant anyone in the “sudo” group passwordless access:

%sudo ALL=(ALL) NOPASSWD:ALL

In most scenarios all of the users with sudo access would be in the “sudo” group thus making this configuration for all users with sudo.

Individual user

Also not recommended but it at least limits the liability a bit by isolating sudo without password to a single user:

username ALL=(ALL) NOPASSWD:ALL

Specific command

This would be what I consider the most ideal setup, allowing a specific user to have passwordless sudo access for a specific command. Most likely access to the command is somewhat trivial, like a script to restart a particular service. For me, the service in question is nginx and I added the following line to my sudoers file:

username ALL=NOPASSWD: /etc/init.d/nginx

Now the specified user account can run /etc/init.d/nginx reload without a password! In a perfect world I would lock down sudo access to to reload argument and no other arguments like start or stop but when trying to specify additional arguments I would get an error in my sudoers file. Since I wasn’t overly concerned with that level of access I didn’t bother to pursue it.

One more tip with all of this, don’t ever give sudo access to a user that doesn’t have to enter a password (or use a key) to log in. In fact, don’t ever have users like that on your boxes and lock down sshd to disallow accounts like that from ever logging in remotely. I’ll save locking down SSH for another post ;)

Happy Holidays!