In order to avoid logging in as the root user, we have the sudo command to allow us to run commands as the root user, thus allowing us accomplish admin tasks, with our own, non-root users. Most of the time, the sudo command will prompt you for your password, just to make sure. While this is typically just fine, it annoys the heck out of me. In this article, we will cover editing the sudoers file, and getting rid of the password prompt.
What is Sudo, really?
According to the sudo website: "Sudo (su "do") allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments."
So how DO we get rid of the password prompt? In the end, the process is rather quite simple:
- Run command:
- Depending on what Linux distro you are using, and whether or not you have ever run visudo before, you may opr may not get a prompt asking you about what text editor you want to use to edit the sudoers file. If you are unsure what to pick, I would suggest using nano.
- Go down to the bottom of the file, add the following line:
<user> ALL=(ALL) NOPASSWD: ALL
- Note: replace <user> with your username
- Save and exit the file
- Run command:
- This will clear the exiting password cache
- You're done!
- To test, run command:
- You should not be prompted for a password
While it is indeed entirely possible to go ahead and manually edit the /etc/sudoers file manually, I would not suggest doing so. If you use
visudo , it will actually check the syntax of the file to make sure it was properly edited; if there are any errors in the syntax, it will NOT save the file, and it will give you an error. On the other hand, if you manually edit the sudoers file, there is NO such syntax checking, and if there ARE errors, you will not be able to use the sudo comnmand to repair the file (I learned this from personal experience). You will either need to reinstall the OS, or if you are lucky, you can boot from a live Linux USB (or CD/DVD), and edit the file from there.
So... What else can you do with the sudoers file? You can do a whole lot more than just remove the password prompt. You can really get a granular as you want... You could have some users not require password for some commands, but still need the password for others. You could do the same based on the source IP of the terminal client (like SSH).
But first, if you considering getting more granular, this means you have other users working on the device, and you will likely NOT remove the sudo prompt for ALL users (and if you are, you should consider reconsidering what you are about to do). So this means there will be inevitable password entry errors, and you should put the following line in at the end of the 'defaults' in the sudoers file:
This will gently and comically insult the user everytime they put in the wrong password.
Now on to the more "practical" granular configuration...
It is hard to try to describe a "typical" sudoers file. There just isn't any "typical", other than what's there by default (which varies dependent upon your distro). But I will try to show some "typical-type" entries on some of the more granular end of the scale. Consider the following sudoers file:
User_Alias ADMINS = jon, user1, user2
Runas_Alias OP = root, user3
Host_Alias INTERNAL = 192.168.1.0/255.255.255.0
Cmnd_Alias POWER = /sbin/reboot, /sbin/poweroff
#The users in the ADMINS group can run any command from any terminal.
user1 ALL=(OP) ALL
# The user 'user1' can run any command from any terminal as any user in the OP group (root or user3).
user2 INTERNAL=(ALL) ALL
# user 'user2' may run any command from any machine in the INTERNAL network, as any user.
user3 ALL= POWER
# user user3 may run 'reboot' and 'poweroff' from any machine.
user4 ALL=(ALL) ALL
# user user4 may run any command from any machine acting as any user. (like Ubuntu)
This is just a basic example of what you can do, you can get very granular, and VERY complex. Just remember to ALWAYS edit the file via the 'visudo' command, rather than editing the file directly.
A couple last sudo commands:
Note: That's a lowercase 'L', not an uppercase 'i'
This command will list the sudo "permissions" you have.
This will clear the cached password.
Thanks for reading! Why don't you tell me some of the crazier sudo configs you've seen or done in the comments section...?
UPDATE KALI 2020
If you tried following this on the latest 2020 editions of Kali Linux, you will have probably noted that it doesn't seem to work as expected. from what I can tell, this is expected and by design. For the laatest version(s) of Kali, you need to run the following command:
sudo dpkg-reconfigure kali-grant-root