![]() ![]() But there are times when you need extra root privileges to add a new user or change some system setting. You can always create a new user account with fewer privileges. This account has full system access with no restrictions at all and should only be used for administrative tasks. And this made the contents of the my_user file in the /etc/sudoers.d directory to take precendence.When you create a new Ubuntu server in the cloud, by default you get the root account. The last line of the output (ALL) ALL was overriding the (ALL) NOPASSWD: ALL permission.Īfter much investigation I found out that there is another file name waagent in the /etc/sudoers.d directory that contained: my_user ALL = (ALL) ALLĪll I had to do was either comment out the contents of the waagent file or delete the file entirely. I had created a file named my_user in the /etc/sudoers.d directory, that contained the following: # User rules for my_userĪlso, my_user was part of the sudo group after I ran the command below: sudo usermod -aG sudo my_userīut when I run a sudo command to test it out like sudo ls, a password prompt pops up.įirst I ran the command below to check the permissions of my user: sudo -l -U my_userĪnd I got the output below: (ALL : ALL) ALL I encountered this issue when setting up a user to execute sudo commands without the need for the password prompts in Ubuntu. Try running printf '%s\n' | LANG=C sort to see whether your current language prints AaBbCc etc or ABC then abc to determine what the best "last" letter prefix to use would be. This is because depending on your language settings the "lexical sorting" the shell uses sorts numbers first and then may interleave upper and lowercase when sorting in "ascending" order. You can control the file name ordering by using a prefix of 00-99 or aa/bb/cc, though also keep in mind that if you have ANY files that don't have numeric prefix, they will load after the numbered files, overriding the settings. Keep in mind that the ordering of the FILE NAMES and of the RULES within the file is very important, the LAST one loaded wins, whether it is MORE or LESS permissive than the previous entries. If you find yourself creating lots of these sudoers.d files then perhaps you will want to create them named per user so they are easier to visualize. ![]() You can run sudo -l to see the permissions that your user has been granted, if any of the user specific NOPASSWD commands appear BEFORE any %groupyouarein ALL=(ALL) ALL command in the output you will be prompted for your password. Then save and exit and visudo will warn you if you have any syntax errors. Gatoatigrado ALL=NOPASSWD: /bin/set-slow-cpufreq ![]() You should also always use visudo to edit the file(s). Ideally if you are customizing what commands can be run via sudo you should be making these changes in a separate file under /etc/sudoers.d/ instead of editing the sudoers file directly. (sudo visudo)Īlso, having another window open switched to the root user allows you to recover any mistakes you might make while changing the sudoers file. Rather than moving my entry below the sudo line I simply removed the line I had previously added and then added NOPASSWD to the entry for %sudoĪgain only use nopasswd if you really need it (In my case it was precisely what I needed, for most users requiring a password for sudo activity is best)Īlways edit sudoers with visudo. The group sudo shows up in sudoers after the entry for my username. I was still having to password authenticate.Įnzotib's answer is the key to what's going on. NOTE if you use nopasswd on your laptop you must always lock your computer as you walk away or else a casual attacker can compromise a lot while you're getting up to put cream in your coffee I had then manually added myself to the sudoers file using sudo visudo: my_username ALL=(ALL:ALL) NOPASSWD:ALL The Ubuntu installer prompts for a non-root admin user which gets added to the group sudo. I have enabled full disk encryption (otherwise an attacker with physicall access can do anything he or she wants) I want to auth with pub key only (I will unset the password so that the "have something, know something" scheme will be a password protected keypair -root login is of course disabled entirely) My situation is I'm setting up a remote system that will run headless. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |