Ubuntu – Sudoers file, enable NOPASSWD for user, all commands



This is a fairly complex question related to the Sudoers file and the sudo command in general.

NOTE: I have made these changes on a dedicated machine running Ubuntu Desktop 13.04, that I use purely for learning purposes. I understand it's a huge security risk to enable NOPASSWD sudo.


Initially, my only change to the sudoers file (/etc/sudoers) was one line, a user specification that should have enabled 'nicholsonjf' to run all commands with sudo without having to enter a password (see the line that starts with 'nicholsonjf'):

# This file MUST be edited with the 'visudo' command as root.
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
# See the man page for details on how to write a sudoers file.
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL
nicholsonjf    ALL=NOPASSWD: ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d

However, this did not work, and I was still prompted for my password every time I ran a command as 'nicholsonjf'. I was only able to start running sudo commands as 'nicholsonjf' once I removed 'nicholsonjf' from the sudo and admin groups.

Can anyone explain why this worked?

Is it because the user 'nicholsonjf' was inheriting sudo rights from the two group specifications of 'admin' and 'sudo' (seen below in the sudoers file), which were overriding the 'nicholsonjf' user specification because they were further down in the config file?

Best Answer

The line you added was overridden. From man sudoers:

When multiple entries match for a user, they are applied in order. Where there are multiple matches, the last match is used (which is not necessarily the most specific match).

In your case nicholsonjf was a member of the group sudo so for him this line applied:

%sudo   ALL=(ALL:ALL) ALL

If you want to override entries in /etc/sudoers just put the new entries after them.

The new entry should look like

myuser ALL=(ALL) NOPASSWD: ALL for a single user, or

%sudo ALL=(ALL) NOPASSWD: ALL for a group.