4

I'm trying to set my local computer (which has Linux Mint 13 Maya) so that I can chmod & chown any file with my regular max user account.

Following this page, https://askubuntu.com/questions/159007/how-do-i-run-specific-sudo-commands-without-a-password

I've done the following:

#edit the /etc/sudoers file via `visudo` 
sudo visudo

#in the file, added these lines:
Cmnd_Alias NOPASS_CMNDS = /bin/chmod, /bin/chown
max ALL=(ALL) NOPASSWD: NOPASS_CMNDS

Then saved. (I got the locations for chmod and chown using which)

So, my visudo file now looks like this:

#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults        env_reset
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL

Cmnd_Alias NOPASS_CMNDS = /bin/chmod, /bin/chown
max ALL=(ALL) NOPASSWD: NOPASS_CMNDS

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d

This is the output from sudo -l

$ sudo -l
Matching 'Defaults' entries for max on this host:
    env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User max may run the following commands on this host:
    (ALL) NOPASSWD: /bin/chmod, /bin/chown
    (ALL : ALL) ALL

I then open a new shell tab and try to sudo chmod a file which is owned by a different user & group, and it asks me for a password:

$ ls -l  tmp/0000000001
-rw------- 1 www-data www-data 19245781 Sep 10 16:59 tmp/0000000001

$ sudo chmod +w tmp/0000000001
[sudo] password for max:

Am I missing something here? I don't know if I've done it wrong or have misunderstood what I was actually trying to change.

Do I need to reboot, or reload/restart something to see the change?

Community
  • 1
Max Williams
  • 1,107
  • And when you do post there, remember to add the output of sudo -l and the lines in sudoers which come after the lines you added. – muru Sep 17 '15 at 13:20
  • Did you save and exit visudo or just save? – terdon Sep 17 '15 at 13:27
  • Save and exit (esc then :wq) – Max Williams Sep 17 '15 at 13:59
  • That's very odd. I just tried this on my LMDE (Linux Mint Debian) and it worked as expected. – terdon Sep 17 '15 at 14:22
  • I've added (to my question) the content of my visudo file and the output from sudo -l - can you see anything there which might be breaking it? – Max Williams Sep 17 '15 at 14:32
  • 1
    What's the output of type -a chmod? – terdon Sep 17 '15 at 14:38
  • chmod is /bin/chmod – Max Williams Sep 17 '15 at 14:45
  • That's really weird. Look, it really shouldn't be necessary, changes to sudoers take effect as soon as visudo is closed but you may as well reboot if possible, just to make sure there's nothing keeping visudo open somewhere. – terdon Sep 17 '15 at 14:46
  • What happens if you type the full path, i.e. sudo /bin/chmod +w tmp/0000000001? – Jenny D Sep 17 '15 at 14:50
  • @JennyD it still asks for my password. – Max Williams Sep 17 '15 at 14:53
  • 4
    Is max a member of the admin or sudo groups? (I think this is the case because (ALL : ALL) ALL appears in your sudo -l output). The config line for that group may be taking precedence over the NOPASSWD line. – Mark Plotnick Sep 17 '15 at 14:56
  • @MarkPlotnick When I tried adding my testuser to wheel in my test server, I got the same issue. You should post that as an answer. – Jenny D Sep 17 '15 at 15:01
  • 2
    The solution is to post the lines with NOPASSWD lower down in the config than the line granting ALL to the admin/wheel/sudo group. – Jenny D Sep 17 '15 at 15:02
  • @MarkPlotnick yes it is - $ groups max gives max : max root adm cdrom sudo audio dip www-data plugdev fuse lpadmin netdev powerdev sambashare, showing that max is in the sudo group. Would you mind doing an answer with a suggested fix? – Max Williams Sep 17 '15 at 15:03
  • @JennyD - that's fixed it, thanks! If you want to make that an answer i will mark it correct. – Max Williams Sep 17 '15 at 15:06
  • It was @MarkPlotnick that found it... although I found how to solve it, so I'll write it up :-) – Jenny D Sep 17 '15 at 15:07

1 Answers1

5

The issue here is that there are two rules for this user: 

(ALL) NOPASSWD: /bin/chmod, /bin/chown
(ALL : ALL) ALL

The second one comes from the line in sudoers reading 

%sudo   ALL=(ALL:ALL) ALL

Sudo will use the first matching rule starting from the bottom of the file - so when you need to have different options for a subset of commands, you need to make sure that they are listed below the more generic line.

In other words, you need to make sure that the line 

max ALL=(ALL) NOPASSWD: NOPASS_CMNDS

is placed after the line

%sudo   ALL=(ALL:ALL) ALL

in the file.

Jenny D
  • 13,172