Sudoers Configuration - Passwordless Sudo
Quick Setup
-
Edit sudoers file (never edit
/etc/sudoersdirectly):bash sudo visudo -f /etc/sudoers.d/custom-users -
Add passwordless sudo rules for specific commands: ```bash # Syntax: username ALL=(ALL) NOPASSWD: /path/to/command
# Example for user 'ansible' ansible ALL=(ALL) NOPASSWD: /usr/bin/apt-get, /usr/bin/apt ansible ALL=(ALL) NOPASSWD: /usr/bin/systemctl ansible ALL=(ALL) NOPASSWD: /usr/bin/docker ansible ALL=(ALL) NOPASSWD: /bin/chown, /bin/chmod ```
If you need to have a full powered user:
bash
ansible ALL=(ALL) NOPASSWD: ALL
- Test the configuration: ```bash # Verify syntax sudo visudo -c
# Test as the user sudo -u ansible sudo systemctl status ```
Common Use Cases
System Updates & Maintenance
username ALL=(ALL) NOPASSWD: /usr/bin/apt-get, /usr/bin/apt, /usr/bin/apt-cache
username ALL=(ALL) NOPASSWD: /usr/bin/yum, /usr/bin/dnf
Service Management
username ALL=(ALL) NOPASSWD: /usr/bin/systemctl
Docker Operations
username ALL=(ALL) NOPASSWD: /usr/bin/docker, /usr/local/bin/docker-compose
File Permissions
username ALL=(ALL) NOPASSWD: /bin/chown, /bin/chmod, /bin/chgrp
Log Management
username ALL=(ALL) NOPASSWD: /usr/sbin/logrotate, /bin/journalctl
Security Best Practices
- Never use:
username ALL=(ALL) NOPASSWD: ALL(grants unrestricted access) - Be specific: Use full paths (
/usr/bin/aptnot justapt) - Group related commands: Separate with commas on same line
- Use dedicated files:
/etc/sudoers.d/instead of main/etc/sudoers - Validate syntax: Always run
sudo visudo -cafter changes - Limit scope: Only grant access to commands that are actually needed
Troubleshooting
Check which commands a user can run without password:
sudo -l -U username
Find command full path:
which apt-get
# Output: /usr/bin/apt-get
Syntax error prevention:
- File permissions must be 0440 (visudo handles this automatically)
- No syntax errors allowed (visudo validates before saving)
- Use tabs, not spaces, in some configurations (visudo handles this)