Recipe 5.4 Bypassing Password Authentication in sudo

Careful sudo Practices

  • Always edit /etc/sudoers with the visudo program, not by invoking a text editor directly. visudo uses a lock to ensure that only one person edits /etc/sudoers at a time, and verifies that there are no syntax errors before the file is saved.

  • Never permit the following programs to be invoked with root privileges by sudo: su, sudo, visudo, any shell, and any program having a shell escape.

  • Be meticulous about specifying argument lists for each command in /etc/sudoers. If you aren't careful, even common commands like cat and chmod can be springboards to gain root privileges:

    $ sudo cat /etc/shadow > my.evil.file
    $ sudo cat ~root/.ssh/id_dsa > my.copy.of.roots.ssh.key
    $ sudo chmod 777 /etc/passwd; emacs /etc/passwd
    $ sudo chmod 4755 /usr/bin/less               (root-owned with a shell escape)
  • Obviously, never let users invoke a program or script via sudo if the users have write permissions to the script. For example:

    smith ALL = (root) /home/smith/myprogram

    would be a very bad idea, since smith can modify myprogram arbitrarily.

5.4.1 Problem

You want one user to run a command as another user without supplying a password.

5.4.2 Solution

Use sudo's NOPASSWD tag, which indicates to sudo that no password is needed for authentication:

smith  ALL = (jones) NOPASSWD: /usr/local/bin/mycommand args
smith  ALL = (root) NOPASSWD: /usr/local/bin/my_batch_script ""

5.4.3 Discussion

By not requiring a password, you are trading security for convenience. If a sudo-enabled user leaves herself logged in at an unattended terminal, someone else can sit down and run privileged commands.

That being said, passwordless authorization is particularly useful for batch jobs, where no human operator is available to type a password.

5.4.4 See Also

sudo(8), sudoers(5).

    Chapter 9. Testing and Monitoring