-2

In /etc/sudoers I added:
%myuser ALL=(ALL) NOPASSWD:ALL

Now if I type sudo apt update I don' t need to type the password.
But I want full root permissions: namely, I want to use only apt update.
The apt is an example i want FULL ROOT PERMISSIONS, another example is to be able to create/modify files everywhere.

I tried to use the root line (root ALL=(ALL:ALL) ALL) in the myuser line but nothing:
%myuser ALL=(ALL:ALL) ALL

This is my /etc/sudoers file:

#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"

Host alias specification


User alias specification


Cmnd alias specification


User privilege specification


root    ALL=(ALL:ALL) ALL
scorpion  ALL=(ALL:ALL) ALL


Members of the admin group may gain root privileges


%admin ALL=(ALL) ALL


Allow members of group sudo to execute any command


%sudo   ALL=(ALL:ALL) ALL


See sudoers(5) for more information on "#include" directives:


#includedir /etc/sudoers.d


%scorpion ALL=(ALL) NOPASSWD:ALL
Scorpion
  • 757
  • When you start a new shell session, you can just type sudo su - and you will become root and not have to use sudo. – Nasir Riley Sep 27 '18 at 22:31
  • It's bad practice to modify the root line in the sudoers file. Please undo the edit, and see my answer. – eyoung100 Sep 28 '18 at 02:47

3 Answers3

7

The more secure way to run apt update with root privileges, without typing sudo apt update, would be to add an alias for apt to your user's profile:

  • alias apt='sudo apt'

Then, whenever you run apt update, or apt upgrade, or apt install <pkg>, the apt command will be run with root privileges. But other commands will just run as your normal user, with normal user privileges.

Now, Acknowledging that there are valid reasons why we don't just run all users with root permissions, the following is a way you can give a user all the same permissions as root, that doesn't use sudo.

  • Change the user's UID and GID to 0 with usermod -ou 0 -g 0 <username>

This will change everything your <username> user does to run with root permissions. Everything.

Yes. I know this is massively insecure. But, it does answer the question.

If you choose this route, please do it on a system you don't mind re-installing from time to time. Running everything as root can end up having unforeseen consequences.

Tim Kennedy
  • 19,697
  • 3
    The usermod suggestion is the permanent solution the OP is asking for, hence the upvote. I will expect another question soon on how to recover the system after an accidental oops. – doneal24 Sep 27 '18 at 23:05
  • 1
    Everyone has to learn sometime. When I first started using Linux, I must have reinstalled my system almost daily, from screwing something up. Fixing screwups is really a great way to learn. :) – Tim Kennedy Sep 27 '18 at 23:07
  • 2
    I have told my staff multiple times that you're not a real sysadmin until you have totally destroyed at least one system, often a production server. :) – doneal24 Sep 27 '18 at 23:09
  • hahaha... that's so true! :D – Tim Kennedy Sep 27 '18 at 23:17
  • I already reinstalled the system some times :) now i ' m gonna try the usermod -ou 0 -g 0 <username> change only the UID (as told me before) is a bad idea. The apt is an example i want all root permission, so i can create/modify files everywhere. – Scorpion Sep 28 '18 at 08:12
  • I change both but i have the same problem this is my terminal: I have no name!@my-pc. I cannot use sudo or su. The root user is not allowed to log in in my system. I' m switching to Debian now i' m on Ubuntu. I already know how to fix it. – Scorpion Sep 28 '18 at 08:21
  • I will try on Debian on my other pc if works there – Scorpion Sep 28 '18 at 08:23
  • Is working on Debian so i have to change both UID and GID? – Scorpion Sep 28 '18 at 08:32
  • After reboot i can' t login. If i use passwd scorpion: user not exist. So i set as before the UID and GID, i tried to change the password but passwd: Authentication token manipulation error passwd: password unchanged. When i log in i get wrong password. – Scorpion Sep 28 '18 at 08:52
  • Anyway change the user's UID and GID to 0 is a bad idea. It will break the user. 0 is the root UID and GID so another user can' t have it. Indeed when i changed them before the reboot i saw root@debian-pc when i launched a normal terminal. – Scorpion Sep 28 '18 at 12:26
  • @TimKennedy You should remove the part change the user's UID and GID to 0 because it will cause problems. If it would be like you said, i will have the answer to my question but it isn' t so. – Scorpion Oct 02 '18 at 21:16
  • This doesn't cause an issue on systems where root isn't disabled. See the Debian Wiki: Root Account. Note that option 2: If not, no root account is enabled and the password of the first user created will be used for administration tasks. is still the default on Ubuntu. This was done to prevent the exact thing your question is asking us. The first user account is added automatically at install. – eyoung100 Oct 03 '18 at 06:27
  • @eyoung100 Did you read the update question (and this comments)? I can' t use the account anymore on Debian if i set UID and GID to 0. – Scorpion Oct 03 '18 at 07:10
  • When you set any account have a UID/GID of 0/0, you give that account root equivalency in all privileges and restrictions by actually making that account the equal of root in every meaningful way. That is, the Effective GID/UID of every command that user runs is 0. Which is what you asked for, which many people told you is a bad idea. Now you have a better understanding of why people said it's a bad idea, and why so many sites on the internet advise against that kind of change. – Tim Kennedy Oct 03 '18 at 11:26
  • @TimKennedy i know that i can break the system having full root permission, but if i change UID/GID to 0 the account will be immediately unusable. – Scorpion Oct 04 '18 at 07:42
  • Only root can have 0 and anyway an user can' t have the same UID then another right? The GID i don' t know. – Scorpion Oct 04 '18 at 07:45
  • you can create as many users as you want with the same UIDs and GIDs. That's literally why the useradd command has the -o, --non-unique option. Believe it or not, there are actually valid use cases for shared UIDs, generally pertaining to web and mail hosting, where the UIs that users use can use the username to distinguish users, but the mail or web system only needs 1 set of permissions to store mail or write files to document roots. Linux won't protect you from doing something against your best interests, though, so you have to understand your use case. – Tim Kennedy Oct 04 '18 at 12:36
  • @TimKennedy right is really possible to share the UID, but the 0 isn' t reserved to the root? That' s why the user will be broken and the terminal said (before reboot) root@my-pc or something. – Scorpion Oct 04 '18 at 19:29
  • It's reserved to whatever user the system finds first with that UID. In fact, the UID is really the user, and the name is sort of arbitrary to the kernel. Only in much higher level applications (like a mail server) does the name matter. When you run id or whoami, on Linux, the system just reads the files and grabs the first name it finds with a matching UID. If I create users with the same ID and use SSH to login, I have to use the password that matches the name, so sshd or PAM must be username aware. Once I've logged in, though, whoami shows the first user whose UID matches. – Tim Kennedy Oct 04 '18 at 20:59
  • @TimKennedy there is someone that is able to change the UID/GID to 0 and use the user? The only that i found is this https://unix.stackexchange.com/questions/271197/pulseaudio-run-as-root#autocomment865498. He said that he changed user1:x:00:00:user1,,,:/home/user1:/bin/bash so he set UID/GID to 00? – Scorpion Oct 07 '18 at 18:45
  • Can you tag me? Because i don' t receive a notification i have to check manually. – Scorpion Oct 07 '18 at 18:46
  • @Scorpion I can. Now, since your UID is 0, you will have to enable root logins via SSH if that's the problem you have. in /etc/ssh/sshd_config: PermitRootLogin yes. Once you login, whoami and id will show you logged in as root, because you have UID 0, and they just search the user/group databases (as configured in nsswitch.conf) for the first match, but if you look at what directory you're in, it should show you in the /home/scorpion. Likeway, passwd scorpion will change the scorpion user password, but not the root password. – Tim Kennedy Oct 07 '18 at 21:19
  • @TimKennedy as i said in the update question in debian and ubuntu the user became unusable. Luckily i already planned to reinstall debian (also was an almost new installation). So i give up and reinstalled debian and now is configured to use only the root. Because this question didn' t find an answer and is better if i directly use the root. – Scorpion Oct 08 '18 at 08:53
  • @Scorpion I'm using Ubuntu, and didn't have any problems related to it, other than ambiguous output by commands that just lookup the UID in the user (nsswitch) database. You can always reset the UID/GID by manually editing /etc/passwd. You may not be able to do with via usermod or userdel because the tools may complain about the user account being in use. – Tim Kennedy Oct 08 '18 at 16:13
  • @TimKennedy you changed UID/GID to 0? – Scorpion Oct 08 '18 at 21:35
  • @Scorpion yes. I did have to manually edit /etc/passwd when i was done, but I was able to ssh in as my alternate-uid-0 account. whoami still showed root as the user I was logged in as, but that's due to root being the first matching name in /etc/passwd. change the order in /etc/password, so that you're alternate user is above root, all the tools will show the scorpion name. That's just a display feature though, not an actual systemic change. Processes running as UID 0 will still run as UID 0 regardless of which name is displayed. – Tim Kennedy Oct 10 '18 at 14:27
  • @TimKennedy only ssh or also "normal login" with your alternate-uid-0 account? – Scorpion Oct 11 '18 at 13:14
  • @Scorpion ahh. ssh. If you're getting locked out of normal logins, that is almost certainly because UID 0 has restrictions placed on which terminals they can log in to. These are in the file /etc/securetty. You'd need to add any tty's that you want your UID 0 scorpion user to be able to log into to that file. – Tim Kennedy Oct 11 '18 at 13:46
  • @Scorpion all of this sort of goes back to the point that while Linux won't protect you from yourself, the distro maintainers have worked pretty hard to protect you from yourself, and working around these protections puts your system at risk. I think it's important for sysadmins to really understand their systems, and why certain decisions are made, so that you can make good informed decisions about the best way to compromise between security and ease of use. – Tim Kennedy Oct 11 '18 at 13:49
  • @TimKennedy exactly what i have to modify in the securetty? How i can add all the possible tty? Can you test it? – Scorpion Oct 18 '18 at 08:56
  • @Scorpion several ways. individually add all possible entries to /etc/securetty; add wildcards such as pts/[0-9]* to /etc/securetty; remove the call to pam_securetty.so in /etc/pam.conf, or /etc/pam.d/login, etc. – Tim Kennedy Oct 18 '18 at 12:06
  • @TimKennedy can you explain it better? Which are all possible entries? And the wildcards? Which call in etc/pam.d/login? There i can see `# Disallows root logins except on tty's listed in /etc/securetty

    (Replaces the CONSOLE' setting from login.defs)

     – Scorpion Oct 19 '18 at 16:33
  • @Scorpion there are too many possibilities to list them all in a comment here, especially given variations in hardware. Much easier to just remove the file. Basically, just do the opposite of everything in this article: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/4/html/Security_Guide/s2-wstation-privileges-noroot.html – Tim Kennedy Oct 19 '18 at 18:05
0

You can type sudo -i, then you get an interactive root shell and don't have to type sudo before each command.

RalfFriedl
  • 8,981
  • I want a permanent solution. – Scorpion Sep 27 '18 at 21:56
  • Then place that command in the user's .profile. Or let the user login as root. – RalfFriedl Sep 27 '18 at 22:01
  • How can i let the user login as root? – Scorpion Sep 27 '18 at 22:08
  • I just set a password for root and can login as root. If your distribution disables root login, you should find out how it is done and undo it. Or at least mention what distribution you are using. – RalfFriedl Sep 27 '18 at 22:17
  • Right, but i don' t want to login as root i want the user to become a "second" root. – Scorpion Sep 27 '18 at 22:22
  • Then why do you ask how to do it? I already suggested placing the command into the user's .profile. If you also don't want that, then please edit the question and be very specific about what you really want. – RalfFriedl Sep 27 '18 at 22:25
  • The title isn' t clear? Using the `.profile' is almost good but if i created a folder later i won't be able to see it right? Btw when you said "Or let the user login as root." i though you mean that (Grant full root permissions to an user). – Scorpion Sep 27 '18 at 22:29
  • To make a user a "second" root, change their UID to 0 in /etc/passwd. – Joseph Sible-Reinstate Monica Sep 27 '18 at 23:01
0

Using Gentoo's /etc/sudoers file as a default, you have two options:

Option 1:

## sudoers file.
.. snip ..
## User privilege specification
##
root ALL=(ALL) ALL
## Add your user here.  This allows you to run all commands as root, 
## not just the update commands.
scorpion ALL=(ALL) ALL
.. snip ..

Option 2:

## sudoers file.
.. snip ..
## User alias specification
##
## Groups of users.  These may consist of user names, uids, Unix groups,
## or netgroups.
# User_Alias    ADMINS = millert, dowdy, mikef
User_Alias  UPDATERS = scorpion
##
## Cmnd alias specification
##
## Groups of commands.  Often used to group related commands together.
# Cmnd_Alias    PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \
#               /usr/bin/pkill, /usr/bin/top
# Cmnd_Alias    REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff
Cmnd_Alias  UPDATE = /path/to/apt-get, /path/to/apt
.. snip ..
##
## User privilege specification
##
root ALL=(ALL) ALL
UPDATERS ALL=NOPASSWD: UPDATE

Notes

  1. This example assumes your username is scorpion.
  2. I assume the path to all the apt commands are in /sbin but Gentoo doesn't use apt or apt-get so don't forget to edit.
  3. This can be done without adding Command Aliases, and User Aliases, but IMHO, the aliases make it easier to add commands, and to debug if needed.
eyoung100
  • 6,252
  • 23
  • 53
  • Option is not working is similar to use the root line for my user. Option 2 is for apt only right? i want to grant full root permissions not only apt. – Scorpion Sep 28 '18 at 09:03
  • If you want full permission everywhere then add your user to the sudo group, aka wheel, and remove the comment on the line starting %sudo ALL = ALL... with the nopasswd option. It may read %wheel. You cannot do what your asking, as sudo sets the proper permissions bit, and the UID/GID of 0 should always belong to root as @TimKennedy pointed out. – eyoung100 Sep 28 '18 at 09:41
  • Follow @TimKennedy's answer, and set your UID and GID to zero, thereby replacing the root user with your user. The reason it's "massively insecure" is because you have removed all safety measures. See What's wrong with always being root? Before I can advise you on the proper configuration, should you decide against Tim's answer I need to know what distribution you're using. – eyoung100 Oct 03 '18 at 06:15
  • And did you read my comment in Tim's answer? It breaks in all Debian and Debian relatives because Debian is designed to prevent what your asking. – eyoung100 Oct 03 '18 at 07:08