Why is sudoers NOPASSWD option applying the exception to ROOT instead of specified user?


# This file MUST be edited with the 'visudo' command as root. # # Please consider adding local content in /etc/sudoers.d/ instead of # directly modifying this file. # # See the man page for details on how to write a sudoers file. # Defaults        env_reset Defaults        mail_badpass Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"  # Host alias specification  # User alias specification  # Cmnd alias specification  # User privilege specification root    ALL=(ALL:ALL) ALL  # Members of the admin group may gain root privileges %admin ALL=(ALL) ALL  # Allow members of group sudo to execute any command %sudo   ALL=(ALL:ALL) ALL  # See sudoers(5) for more information on "#include" directives:  #includedir /etc/sudoers.d  h ALL=NOPASSWD: /usr/bin/brightlight -i 20 -f /sys/class/backlight/amdgpu_bl0 

But doing the command still gives me a permission error.

h@pop-os:~$   brightlight -i 20 -f /sys/class/backlight/amdgpu_bl0 brightlight: could not open "brightness" file: Permission denied 


h@pop-os:~$   sudo -l Matching Defaults entries for h on pop-os:     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin  User h may run the following commands on pop-os:     (ALL : ALL) ALL     (root) NOPASSWD: /usr/bin/brightlight -i 20 -f /sys/class/backlight/amdgpu_bl0 

Things I have tried:

  • Rebooting
  • Creating a file in /etc/sudoers.d/brightlight with last line of config above

EDIT: Fixed, you need to add sudo, and it won’t prompt you for a password

sudoers command as a different user

I regularly need to drop a postres database and recreate it. It has to be done as postgres user as following:

$   sudo -u postres dropdb my_database  

I thought of adding sudoers rules for not being asked a password. Usually I proceed by creating a file in /etc/sudoers.d/ with a rule like this one:

Cmnd_Alias DROP_DB = /bin/bash -l -c dropdb*, /usr/bin/dropdb* emilio ALL = NOPASSWD: DROP_DB 

But in this use case, I need to run the command as postgres user and it doesn’t work.

What is the proper way to run a command as a different user without being asked a password?

Dialogs still ask for user password (instead of root’s) after adding rootpw to sudoers file

To add an extra layer of security I’m using the rootpw option in the sudoers file and while it works perfectly fine from the shell, when a specific command invokes the GUI version of “elevation”, only the user password will work in that case and not the root password. Do I need to change anything in PolicyKit config?

Kubuntu 18.10

I’d like the root password to be used everywhere, any ideas?

Using SUID program to avoid having entries in sudoers

Well, I’ve done a lot of reading and documentation around possible exploitation of sudoers files and SUID programs, but don’t have a deep enough knowledge to pick up the wisest possible solution for my problem.

We’re currently developping a Qt-based tool on Ubuntu for upgrade/rollback management of our main application.
So as you might have guessed, the said tool is making extensive use of apt install/purge and dpkg commands, that happen to be executable only with root privileges, which the tool does not have, as it is meant to be executed only within the limited-privileges user’s context.

To circumvent this limitation, the team has chosen the most straightforward solution : adding appropriate entries in the user’s sudoers file for the aforementioned commands.
BUT, as far as I know, this opens up a dangerous vulnerability in the system, as an attacker who would gain only limited access to the machine might then remove important components of the underlying linux system (systemd for instance), thus making the system crash.

As I’m the only cybersecurity engineer in the team, I’m trying to find the safest and most recommended way to mitigate this flaw, but so far could think of only one alternative : turning the upgrade tool into a SUID program.
The thing is : SUID programs have a nefarious reputation when it comes to privilege escalation vulnerabilities they might expose on the target system (see here for a checklist of all the considerations to implement in order not to mess up everything when writing a SUID program).

The question is : is going through this painful process really worth it ?
Is there any other way we could safely use apt/dpkg commands without all the hassle of SUID implementation, and without making the upgrade tool run with superuser mode ?

Note: a lot of questions on stackexchange cover SUID related concerns, but none actually discusses the specific usecase we’re dealing with.

sudo command sudo: /etc/sudoers is world writable sudo: no valid sudoers sources found, quitting sudo: unable to initialize policy plugin

I have run this command by mistake chmode -R 777 ./*.Now not able to use sudo and can’t open folders as root. sudo: /etc/sudoers is world writable sudo: no valid sudoers sources found, quitting sudo: unable to initialize policy plugin

Can’t run visudo within Docker; sudoers file does not exist

Ubuntu n00b here. I am tinkering with a Docker container that I created using the following simple Dockerfile:

FROM ubuntu CMD ["tail","-f","/dev/null"] 

Inside the container, as the root user, I try running visudo and get the following response:

bash: visudo: command not found

I ran ls /etc and it seems I don’t have a sudoers file either.

Is there something special I should have put in my Dockerfile to make these exist?