August 18, 2010, 5:39 PM — Sudo is well known for its ability to provide very limited scope superuser privileges to otherwise normal users on Unix systems. Thus the name "sudo" (for "superuser do"). Users who run commands with sudo generally have to enter their own passwords to confirm their identities before sudo will run the commands with the authority of root. But this doesn't always have to be the case. Let's take a look at what you have to do to configure exceptions to this behavior. How do you allow a particular user to run a particular command via sudo without having to enter a password?
First, why might you want to do this? Well, you might want to put a sudo command in a script. If you do, you could send the password to sudo with an "echo password | sudo -S command" type of construct, but putting passwords in scripts is generally frowned on by the security-conscious admins among us.
Instead, you could configure the account that will run the script to not required to supply a password for the particular command. Let's look at an example.
Say your user's username is "squarepants" and you wanted him to be able to share and unshare a particular directory on a server. You might add these lines to your sudoers file:
# Allow specific users to share and unshare reports squarepants ALL=NOPASSWD:/usr/sbin/share /var/data/reports squarepants ALL=NOPASSWD:/usr/sbin/unshare /var/data/reports
If squarepants uses the share or unshare command for the /var/data/reports directory, he will not be prompted for a password, but for any other directory, he will both be asked for a password and be denied.
$ sudo unshare /var/data/reports $ share - /var/data/reports $ sudo share /var/data/logs Sorry, user squarepants is not allowed to execute '/usr/sbin/share /var/data/logs' as root on server1.
If your users are going to share and unshare on the command line, they won't need to run the commands without a password, but if they're going to include these commands in a script, removing the need to supply a password is actually a safer and better option than putting the password in the script.