Solved How to allow users to issue sudo command and be root and skip asking for password when sudo command is issued.

[ZioMario]

Hello.

I would like to allow the user marietto to issue sudo command and be root and skip asking for password when sudo command is issued. I'm trying several command variations,but none of them is working :

# pw group mod wheel -m marietto

# nano /usr/local/etc/sudoers :

%wheel ALL=(ALL:ALL) NOPASSWD: ALL

or :

marietto ALL=(ALL:ALL) NOPASSWD: /sbin/zpool

or :

marietto ALL=(ALL) NOPASSWD: ALL

or :

marietto ALL=(ALL) NOPASSWD : /sbin/zpool

Nothing. I don't understand why it does not work....

[marietto@marietto /mnt/zroot2/zroot2]==> sudo zpool export zroot-133
Password:

 

[NapoleonWils0n]

use doas much easier

sudo pkg install doas

/usr/local/etc/doas.conf

# permit user
permit keepenv :djwilcox

# mount drives
permit nopass :djwilcox cmd mount
permit nopass :djwilcox cmd umount

# restart networking
permit nopass :djwilcox cmd service args netif start
permit nopass :djwilcox cmd service args netif stop
permit nopass :djwilcox cmd service args netif restart

# ifconfig wlan0
permit nopass :djwilcox cmd ifconfig args wlan0 up
permit nopass :djwilcox cmd ifconfig args wlan0 down

# ifconfig ue0 - usb ethenet
permit nopass :djwilcox cmd ifconfig args ue0 up
permit nopass :djwilcox cmd ifconfig args ue0 down

# ifconfig scan and wpa_supplicant
permit nopass :djwilcox cmd ifconfig args wlan0 list scan
permit nopass :djwilcox cmd wpa_supplicant args -B -i wlan0 -c /etc/wpa_supplicant.conf

# pkg update
permit nopass :djwilcox cmd pkg args update

# pkg upgrade
permit nopass :djwilcox cmd pkg args upgrade

# dmesg
permit nopass :djwilcox cmd dmesg

# sysctl
permit nopass :djwilcox cmd sysctl

# chroot
permit nopass :djwilcox cmd chroot

# jail
permit nopass :djwilcox cmd jexec
permit nopass :djwilcox cmd service
permit nopass :djwilcox cmd jls

# pacman
permit nopass :djwilcox cmd pacman

# root as root
permit nopass keepenv root as root

 

[mro]

I agree concerning security/doas - but check that your session really has group wheel:

$ groups
... wheel ...

 

[Alain De Vos]

when i do su i have to enter a password. Meaning it is much safer then sudo without password.

 

[BjarneB]

Hello.

I would like to allow the user marietto to issue sudo command and be root and skip asking for password when sudo command is issued. I'm trying several command variations,but none of them is working :

# pw group mod wheel -m marietto

# nano /usr/local/etc/sudoers :

%wheel ALL=(ALL:ALL) NOPASSWD: ALL

This should work. Maybe log out and log in again.
Also check you self with "id marietto"

 

[Minbari]

Logout/reboot after modifying sudoers?

 

[SirDice]

Logout/reboot after modifying sudoers?

Not necessary. You do need to logoff/login when you change group membership of an account.

 

[ZioMario]

I don't want to use a password only when I run "sudo zpool import -f -R /mnt/zroot2 zroot2" as user "marietto" that's inside the wheel group.

 

[ZioMario]

I agree concerning security/doas - but check that your session really has group wheel:

$ groups
... wheel ...

nano /etc/group :

wheel:*:0:root,marietto

[marietto@marietto /mnt/zroot2/zroot2]==> id marietto
uid=1001(marietto) gid=1001(marietto) groups=1001(marietto),0(wheel),5(operator),44(video)

 

[mro]

when i do su i have to enter a password. Meaning it is much safer then sudo without password.

passing around the root password and using it on a regular basis isn't a safe alternative. But going into details would become off-topic.

 

[mro]

nano /etc/group :

wheel:*:0:root,marietto

[marietto@marietto /mnt/zroot2/zroot2]==> id marietto
uid=1001(marietto) gid=1001(marietto) groups=1001(marietto),0(wheel),5(operator),44(video)

looking into /etc/group is telling you nothing about your current session. Don't do that.

 

[ZioMario]

check that your session really has group wheel...

How ?

 

[NapoleonWils0n]

id

 

[ZioMario]

[marietto@marietto /mnt/zroot2/zroot2]==> id                             
uid=1001(marietto) gid=1001(marietto) groups=1001(marietto),0(wheel),5(operator),44(video)

 

[mro]

there's a code snippet in https://forums.freebsd.org/threads/...when-sudo-command-is-issued.93474/post-655323. That's why.

 

[mro]

you are calling /sbin/zpool with arguments. You may have to declare them in the sudoers file. I remember vaguely having trouble setting that up for https://codeberg.org/mro/internet-r...d4ea529/etc/sudoers.d/internet-radio-recorder

 

[ZioMario]

like this ?

nano /usr/local/etc/sudoers :

marietto ALL=(ALL:ALL) NOPASSWD: /sbin/zpool import -f -R /mnt/zroot2 zroot2

nope,it does not work.

this also does not work :

marietto ALL=(ALL:ALL) NOPASSWD: ALL

 

[elgrande]

The sudoers file should not be edited directly.
visudo() is you friend .

 

[NapoleonWils0n]

much easier with doas

/usr/local/etc/doas.conf

permit nopass :marietto cmd zpool args import -f -R /mnt/zroot2 zroot2

command

doas zpool import -f -R /mnt/zroot2 zroot2

 

[SirDice]

I don't see why you would have a problem with sudoers, there are even two entries by default, all you have to do is remove the #.

## Uncomment to allow members of group wheel to execute any command
# %wheel ALL=(ALL:ALL) ALL

## Same thing without a password
# %wheel ALL=(ALL:ALL) NOPASSWD: ALL

 

[ZioMario]

I don't know why it does not work. Should I remove the # from this ?

%wheel ALL=(ALL:ALL) NOPASSWD: ALL

but this is not what I want,anyway. I don't want to skip the password for ALL commands,but only for the command zpool import and so on.

 

[oOiOo]

Try

marietto ALL=NOPASSWD: /sbin/zpool import *

 

[ZioMario]

NapoleonWils0n : let's say that I want to run the command below as normal user using doas :

qemu-system-x86_64-debian_fs -machine q35 -cpu kvm64,hv_relaxed,hv_time,hv_synic -m 1G -vga std -drive file=Debian-fs.img,format=raw -drive file=/dev/$vmdisk2,format=raw -drive file=/dev/$vmdisk5,format=raw -rtc base=localtime -device usb-ehci,id=usb,bus=pcie.0,addr=0x3 -device usb-tablet -device usb-kbd -smbios type=2 -nodefaults -netdev tap,id=mynet0,ifname=tap19,script=no,downscript=no -device e1000,netdev=mynet0,mac=52:55:00:d1:55:01 -device ich9-ahci,id=sata -drive if=pflash,format=raw,readonly=on,file=/usr/local/share/edk2-qemu/QEMU_UEFI_CODE-x86_64.fd -drive if=pflash,format=raw,file=/usr/local/share/edk2-qemu/QEMU_UEFI_VARS-x86_64.fd -nographic -serial none -monitor none &

This is what I have written inside the doas.conf config file :

sudo mousepad /usr/local/etc/doas.conf

permit nopass :marietto cmd qemu-system-x86_64-debian_fs args -machine q35 -cpu kvm64,hv_relaxed,hv_time,hv_synic -m 1G -vga std -drive file=Debian-fs.img,format=raw -drive file=/dev/$vmdisk2,format=raw -drive file=/dev/$vmdisk5,format=raw -rtc base=localtime -device usb-ehci,id=usb,bus=pcie.0,addr=0x3 -device usb-tablet -device usb-kbd -smbios type=2 -nodefaults -netdev tap,id=mynet0,ifname=tap19,script=no,downscript=no -device e1000,netdev=mynet0,mac=52:55:00:d1:55:01 -device ich9-ahci,id=sata -drive if=pflash,format=raw,readonly=on,file=/usr/local/share/edk2-qemu/QEMU_UEFI_CODE-x86_64.fd -drive if=pflash,format=raw,file=/usr/local/share/edk2-qemu/QEMU_UEFI_VARS-x86_64.fd -nographic -serial none -monitor none &

but it does not work. The command is not executed without password. What's wrong ?

 

[NapoleonWils0n]

HI Mate, i notice you have some variables $vmdisk2 $vmdisk5 in the doas.conf

my guess is that because the variables arent defined in the doas.conf it fails
you cant define variables in the doas.conf to the best of my knowledge

its not like a shell script

what happens if you dont use variables and hardcode the paths to the drives
but i guess you dont want to do that

see if this works without the args

permit nopass :marietto cmd qemu-system-x86_64-debian_fs

i also have the following at the bottom of my doas.conf
the order of the rules matters

# root as root
permit nopass keepenv root as root

 

[mro]

at first glance I wouldn't consider the ampersand part of the command.