How does the ubuntu user on the AWS images for Ubuntu Server 12.04 have passwordless sudo for all commands when there is no configuration for it in /etc/sudoers?
I'm using Ubuntu server 12.04 on Amazon. I want to add a new user that has the same behavior as the default Ubuntu user. Specifically I want passwordless sudo for this new user.
So I've added a new user and went to edit /etc/sudoers (using visudo of course). From reading that file it seemed like the default ubuntu user was getting it's passwordless sudo from being a member of the admin group. So I added my new user to that. Which didn't work. Then I tried adding the NOPASSWD directive to sudoers. Which also didn't work.
Anyway, now I'm just curious. How does the ubuntu user get passwordless privileges if they aren't defined in /etc/sudoers. What is the mechanism that allows this?
5 Answers
Okay, I have discovered the answer so may as well put it here for completeness. At the end of /etc/sudoers there is what I thought was just a comment:
#includedir /etc/sudoers.dHowever this actually includes the contents of that directory. Inside of which is the file /etc/sudoers.d/90-cloudimg-ubuntu. Which has the expected contents
# ubuntu user is default user in cloud-images.
# It needs passwordless sudo functionality.
ubuntu ALL=(ALL) NOPASSWD:ALLSo that is where the sudo configuration for the default ubuntu user lives.
You should edit this file using visudo. The following command will let you edit the correct file with visudo.
sudo visudo -f /etc/sudoers.d/90-cloudimg-ubuntuAnd add a line like:
aychedee ALL=(ALL) NOPASSWD:ALLAt the end.
11I found that the most straight forward thing to do, in order to easily replicate this behavior across multiple servers, was the following:
sudo visudoChange this line:
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALLto this line:
# Members of the admin group may gain root privileges
%admin ALL=(ALL) NOPASSWD:ALLAnd move it under this line:
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALLyou should now have this:
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) NOPASSWD:ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.dthen for every user that needs sudo access WITH a password:
sudo adduser <user> sudoand for every user that needs sudo access WITH NO password:
sudo adduser <user> admin(on older versions of ubuntu, you may need to):
sudo service sudo restartAnd that's it!
Edit: You may have to add the admin group as I don't think it exists by default.
sudo groupadd adminYou can also add the default AWS ubuntu user to the admin group via this command:
sudo usermod ubuntu -g adminNote: As @hata mentioned, you may need to use adm as your admin group name, depending on which version of Ubuntu is being used.
I would create my own file under /etc/sudoers.d/ directory - the file created by Amazon Cloud might be overwritten in case of any update. After creating your file in /etc/sudoers.d, add this entry,
<your user name> ALL=(ALL) NOPASSWD:ALLReboot the system and this will work.
Short answer without using any editor (tested on bash, very risky to execute on remote hosts).
Configure sudo to work without a password for the current user:
echo "$USER ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoersCheck the edit with:
sudo visudo -cVerify if you can use sudo without a password:
sudo cat /etc/sudoers | grep "$USER"...or simply try it with:
sudo <anything>As I was researching this, I realized that there's a line in the /etc/sudoers file that is not a comment, but a directive that makes any file or folder under the directory /etc/sudoers/* override the contents of /etc/sudoers.
This is a sneaky little directive, as it appears to be a commented line upon first glance. It looks like this:
#includedir /etc/sudoers.dThis is how I've implemented the non-root, passwordless user in an ephemeral Docker Image for use in a CICD pipeline with the base image of ubuntu:18.04:
RUN \ useradd -U foo -m -s /bin/bash -p foo -G sudo && passwd -d foo && passwd -d root && \ sed -i /etc/sudoers -re 's/^%sudo.*/%sudo ALL=(ALL:ALL) NOPASSWD: ALL/g' && \ sed -i /etc/sudoers -re 's/^root.*/root ALL=(ALL:ALL) NOPASSWD: ALL/g' && \ sed -i /etc/sudoers -re 's/^#includedir.*/## Removed the #include directive! ##"/g' && \ echo "Customized the sudoers file for passwordless access!" && \ echo "foo ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers && \ echo "root ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers && \ echo "foo user:"; su foo -c 'whoami && id' && \ echo "root user:"; su root -c 'whoami && id'What happens with the above code:
- The user and group
foois created. - The user
foois added to the both thefooandsudogroup. - The home directory is set to
/home/foo. - The shell is set to
/bin/bash. - The passwords for both
fooandrootare deleted. - The
sedcommand does inline updates to the/etc/sudoersfile to allowfooandrootusers passwordless access to thesudocommand. - The
sedcommand disables the#includedirdirective that would allow any files in subdirectories to override these inline updates.
