1. Home
  2. Linux
  3. [Ubuntu]: sudoers NOPASSWD option not working

[Ubuntu]: sudoers NOPASSWD option not working

Question: I wanted to install a package as a local user and use sudo wherever required. To do that, I created an account called ‘stack’ and made the below entry in my /etc/sudoers file.

# User privilege specification
root    ALL=(ALL:ALL) ALL
stack        ALL=(ALL) NOPASSWD:ALL

However, when verified through command line using the command sudo -s, it asks for the password as shown below:

stack@cloudsec2:~$ sudo -s
[sudo] password for stack:

Please help me, where am I doing wrong?

linux sudoers issue

Solution 1: You should put that line after the line with the rule for the admin group. Because when multiple entries match for a user, they are applied in order. Where there are multiple matches, the last match is used (which is not necessarily the most specific match).

So, your sudoers file should look like the below:

# User privilege specification
root    ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
stack ALL=(ALL) NOPASSWD:ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL

Solution 2: Rather than moving the line, you can simply remove it and add NOPASSWD to the entry for %sudo as shown below:

%sudo   ALL=(ALL:ALL) NOPASSWD:ALL

Note: Make sure your login belongs to the sudo group as shown below:

root@cloudsec2:~# id stack
uid=1000(stack) gid=1000(stack) groups=1000(stack),4(adm),27(sudo),

Solution 3: Move your line to a file under /etc/sudoers.d/

visudo -f /etc/sudoers.d/myOverrides

Insert the below line:

stack  ALL=(ALL:ALL) NOPASSWD:ALL

Now open /etc/sudoers file and uncomment the below line:

visudo -f /etc/sudoers
#includedir /etc/sudoers.d

This is a better approach to edit sudoers.

Note: Use always visudo. If you insert errors in the file, you may not longer be able to run sudo!

Updated on September 2, 2017

Was this article helpful?

Related Articles

Comments

  1. My /etc/sudoers file says:

    ## Read drop-in files from /etc/sudoers.d
    ## (the ‘#’ here does not indicate a comment)
    #includedir /etc/sudoers.d

    and my /etc/sudoers.d/00-groupname files are being read fine. I don’t think you’re supposed to remove the # from that line

    Interesting read though. Thanks

Leave a Comment