You are not logged in.
- Topics: Active | Unanswered
#1 2016-10-19 12:20:45
- Alad
- Wiki Admin/IRC Op
- From: Bagelstan
- Registered: 2014-05-04
- Posts: 2,412
- Website
[SOLVED] sudo and NOPASSWD/targetpw
I'm using Defaults targetpw in sudoers(5) so that I don't need to use my root/administrative password for everyday things like unlocking my screen. However, there are also a few commands that I'd like to run without password prompt; in the usual case, I'd do something like this:
%power ALL=(ALL) NOPASSWD: /usr/bin/systemctl poweroff, /usr/bin/systemctl suspend, /usr/bin/systemctl hibernate, /usr/bin/systemctl rebootWith the line above, the root password is still queried even when my user is in the power group. The same happens when I replace %power by %root.
I'm not sure what to make of the manual, which says:
By default, sudo requires that a user authenticate him or herself before running a command.
seemingly contradictory to targetpw:
If set, sudo will prompt for the password of the user specified by the -u option (defaults to root) instead of the password of the invoking user when running a command or editing a file.
Is there some option I'm missing or is this expected when using targetpw?
Last edited by Alad (2016-10-19 12:52:20)
Mods are just community members who have the occasionally necessary option to move threads around and edit posts. -- Trilby
Offline
#2 2016-10-19 12:47:05
- Lone_Wolf
- Member
- From: Netherlands, Europe
- Registered: 2005-10-04
- Posts: 11,911
Re: [SOLVED] sudo and NOPASSWD/targetpw
Users can configure sudo to ask for the root password instead of the user password by adding targetpw (target user, defaults to root) or rootpw to the Defaults line in /etc/sudoers:
Alad, i think you may be misinterpreting the defaults targetpw option .
Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
(A works at time B) && (time C > time B ) ≠ (A works at time C)
Offline
#3 2016-10-19 12:47:17
- oliver
- Member
- Registered: 2007-12-12
- Posts: 448
Re: [SOLVED] sudo and NOPASSWD/targetpw
warning - I'm not an expert by any means here
I've never really understood the benefit of targetpw. Nearly always you'll be using sudo to gain root privileges so why would you want to give out the root password to do so?
What I do know is that the sudoers file is read in full and the last match is invoked, so do check the order of the statements.
I think you can easily test this with a couple of files in /etc/sudoers.d (assuming your user is also in the users group)
testfile1
%power ALL=(ALL) ALL
%users ALL=(ALL) NOPASSWD: ALLtestfile2
%power ALL=(ALL) NOPASSWD: ALL
%users ALL=(ALL) ALLWith the first you shouldn't be prompted for a password, with the second, you should (because the %users line will trump the %power one)
Offline
#4 2016-10-19 12:54:36
- Alad
- Wiki Admin/IRC Op
- From: Bagelstan
- Registered: 2014-05-04
- Posts: 2,412
- Website
Re: [SOLVED] sudo and NOPASSWD/targetpw
I've never really understood the benefit of targetpw. Nearly always you'll be using sudo to gain root privileges so why would you want to give out the root password to do so?
Well, my use case is one user (me) using a single laptop. Unlocking the screen or logging in is something I do more regularly than doing administrative duties, also while in the presence of others, so having a separate password should be useful against shoulder surfing et al.
What I do know is that the sudoers file is read in full and the last match is invoked, so do check the order of the statements.
Nice catch. 
I use the sudo group for the ALL line, which was put below the %power line. Moving it solved my issue. Thanks!
Last edited by Alad (2016-10-19 12:54:59)
Mods are just community members who have the occasionally necessary option to move threads around and edit posts. -- Trilby
Offline