Sudoers Configuration - Passwordless Sudo
Quick Setup
-
Edit sudoers file (never edit
/etc/sudoersdirectly):sudo visudo -f /etc/sudoers.d/custom-users -
Add passwordless sudo rules for specific commands:
# Syntax: username ALL=(ALL) NOPASSWD: /path/to/command
# Example for user 'ansible'
ansible ALL=(ALL) NOPASSWD: /usr/bin/apt-get, /usr/bin/apt
ansible ALL=(ALL) NOPASSWD: /usr/bin/systemctl
ansible ALL=(ALL) NOPASSWD: /usr/bin/docker
ansible ALL=(ALL) NOPASSWD: /bin/chown, /bin/chmodIf you need to have a full powered user:
ansible ALL=(ALL) NOPASSWD: ALL -
Test the configuration:
# Verify syntax
sudo visudo -c
# Test as the user
sudo -u ansible sudo systemctl status
Common Use Cases
System Updates & Maintenance
username ALL=(ALL) NOPASSWD: /usr/bin/apt-get, /usr/bin/apt, /usr/bin/apt-cache
username ALL=(ALL) NOPASSWD: /usr/bin/yum, /usr/bin/dnf
Service Management
username ALL=(ALL) NOPASSWD: /usr/bin/systemctl
Docker Operations
username ALL=(ALL) NOPASSWD: /usr/bin/docker, /usr/local/bin/docker-compose
File Permissions
username ALL=(ALL) NOPASSWD: /bin/chown, /bin/chmod, /bin/chgrp
Log Management
username ALL=(ALL) NOPASSWD: /usr/sbin/logrotate, /bin/journalctl
Security Best Practices
- Never use:
username ALL=(ALL) NOPASSWD: ALL(grants unrestricted access) - Be specific: Use full paths (
/usr/bin/aptnot justapt) - Group related commands: Separate with commas on same line
- Use dedicated files:
/etc/sudoers.d/instead of main/etc/sudoers - Validate syntax: Always run
sudo visudo -cafter changes - Limit scope: Only grant access to commands that are actually needed
Troubleshooting
Check which commands a user can run without password:
sudo -l -U username
Find command full path:
which apt-get
# Output: /usr/bin/apt-get
Syntax error prevention:
- File permissions must be
0440(visudo handles this automatically) - No syntax errors allowed (visudo validates before saving)
- Use tabs, not spaces, in some configurations (visudo handles this)