2

My sudo version is

$ sudo --version
Sudo version 1.8.16
Sudoers policy plugin version 1.8.16
Sudoers file grammar version 45
Sudoers I/O plugin version 1.8.16

$ which sudo
/usr/bin/sudo

$ whereis sudo
sudo: /usr/bin/sudo /usr/lib/sudo /usr/share/man/man8/sudo.8.gz

I added a line to /etc/sudoers following the line for root:

# User privilege specification
root    ALL=(ALL:ALL) ALL
# my change for scaling down cpu freq
t       ALL=(ALL) NOPASSWD: /home/t/program_files/hardware/cpu/cpuFreq/changeCpuFreq.sh

But after I reboot Ubuntu 16.04, I still need to provide password when running the script with sudo:

$ sudo /home/t/program_files/hardware/cpu/cpuFreq/changeCpuFreq.sh  1600000
[sudo] password for t:

I was wondering why?

Note that in /etc/sudoers,

  • I notice that the separator between root and ALL is a tab, and I also separate t and ALL with a tab, and the other separators are spaces. Originally I separated t and ALL with a few spaces, which didn't work. Does what the separator is matter?

  • /home/t/program_files/hardware/cpu/cpuFreq/changeCpuFreq.sh is pathname without any symlink, and originally, I tried a symlink, which didn't work. Does a symlink matter or not?

Thanks.

Update:

As the reply by steve suggested, I changed the line in /etc/sudoers to be

t       ALL=(ALL) NOPASSWD: /home/t/program_files/hardware/cpu/cpuFreq/changeCpuFreq.sh *

by adding * at the end, but it doesn't work.

Currently my /etc/sudoers looks like

#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL
# my change for scaling down cpu freq
# t     ALL=(ALL:ALL) NOPASSWD: /home/t/program_files/hardware/cpu/cpuFreq/changeCpuFreq.sh *
t ALL=(ALL:ALL) NOPASSWD: /home/t/program_files/hardware/cpu/cpuFreq/changeCpuFreq.sh *

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d

The groups of t include adm (is adm same as admin?) and sudo: 

$ groups t
t : t adm cdrom sudo dip plugdev lpadmin sambashare

The commands allowed to be run by t are:

$ sudo -l
Matching Defaults entries for t on ocean:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User t may run the following commands on ocean:
    (ALL : ALL) NOPASSWD:
        /home/t/program_files/hardware/cpu/cpuFreq/changeCpuFreq.sh *
    (ALL : ALL) ALL
Tim
  • 101,790

2 Answers2

4

Besides the argument, as @steve mentions, change the ALL=(ALL) for ALL=(ALL:ALL) as:

t ALL=(ALL:ALL) NOPASSWD: /home/t/program_files/hardware/cpu/cpuFreq/changeCpuFreq.sh *

If the user t belongs to the sudo or admin group, you also have to put that line after the generic rules for the admin and sudo group. Per man sudoers, the last line contemplating a condition wins:

When multiple entries match for a user, they are applied in order.
Where there are multiple matches, the last match is used (which is not necessarily the most specific match).

Thus, if the more restrictive conditions are met on your now last line, the NOPASSWD directive will be applied, and then the password won't be asked anymore.

Rui F Ribeiro
  • 56,709
  • 26
  • 150
  • 232
  • Thanks. It doesn't work. Does (ALL:ALL) mean all terminals and all target users, right? – Tim Apr 01 '18 at 21:28
  • see https://ubuntuforums.org/showthread.php?t=1918842 – Rui F Ribeiro Apr 01 '18 at 21:34
  • 2
    Thanks. Moving the new line to the end of the file works. – Tim Apr 01 '18 at 21:58
  • Is adm the same group as admin? – Tim Apr 01 '18 at 22:09
  • It is not the same... But t belongs to the sudo group, the %sudo line was taking precedence. – Rui F Ribeiro Apr 01 '18 at 22:35
  • does %sudo ALL=(ALL:ALL) ALL not imply that all users in sudo group including t will be allowed execute all commands including my script as all users including root? So why do I need to add the new line to /etc/sudoers? – Tim Apr 01 '18 at 22:44
  • You are creating a special case for it to happen without asking a password – Rui F Ribeiro Apr 01 '18 at 22:48
  • What does %sudo ALL=(ALL:ALL) ALL mean? I think it means that all users in sudo group (including user t) are allowed to execute all commands (including my script) as all users (including root)? So why do I need to create a special case for t and my script? – Tim Apr 01 '18 at 22:52
  • 1
    I think you are overlooking the NOPASSWD directive – Rui F Ribeiro Apr 01 '18 at 22:55
3

Perhaps the fact you're passing an argument is causing the issue.

Instead of:

t       ALL=(ALL) NOPASSWD: /home/t/program_files/hardware/cpu/cpuFreq/changeCpuFreq.sh

try this:

t       ALL=(ALL) NOPASSWD: /home/t/program_files/hardware/cpu/cpuFreq/changeCpuFreq.sh *
steve
  • 21,892
  • I could swear newer versions of sudo require the latter syntax. – Rui F Ribeiro Apr 01 '18 at 20:39
  • Thanks. In /etc/sudoers, does using a pathname containing symlink(s) matter? Furthermore, when running the command via its symlink path with sudo, would there still be password prompt if the symlink is searched in the invoking user's PATH, e.g. sudo -E env "PATH=$PATH" changeCpuFreq.sh 1600000? – Tim Apr 01 '18 at 20:57
  • Also adding * doesn't work. See my update. I also added my sudo version. – Tim Apr 01 '18 at 21:13
  • Thanks. After moving the new line to the end of /etc/sudoers, it works both with and without *. – Tim Apr 01 '18 at 23:55
  • @Rui: Could you elaborate "newer versions of sudo require the latter syntax"? My Sudo version is 1.8.16, and after moving the new line to the end of /etc/sudoers, it works both with and without *. – Tim Apr 02 '18 at 12:01
  • I had to add the * in several sudoers rules in a couple of servers that had rules for non-privileged users when I migrated my Debian infra-structure from Debian 8 to 9 – Rui F Ribeiro Apr 02 '18 at 12:10
  • @Rui Which version of sudo were you using? – Tim Apr 02 '18 at 12:48
  • Jessie 1.8.10, Stretch 1.8.19 – Rui F Ribeiro Apr 02 '18 at 13:00