Years ago I made an undocumented change on my system wherein for my current user only, the sudo command doesn’t require a password. When something like kate needs root it still requires a password, but for commandline specifically it is skipped. I’d like to undo this change.
I’ve checked visudo and nothing seems out of place, my username isn’t anywhere and NOPASSWD is commented out. It has the line root ALL=(ALL:ALL) ALL. In /etc/sudoers.d/ is only 10-installer with %wheel ALL=(ALL) ALL.
What did I do and how can I undo it without just making a new user? I vaguely think it might have had something to do with /etc/passwd, but looking in there I can’t see what might have caused it.
Thanks.
That sounds weird. Lets be sure.
What does the command
sudo ls /root
say?
What is the output of
grep NOPASSWD /etc/sudoers /etc/sudoers.d/*
[root@pigeon laura]# grep NOPASSWD /etc/sudoers /etc/sudoers.d/*
/etc/sudoers:# %wheel ALL=(ALL:ALL) NOPASSWD: ALL
[root@pigeon laura]# sudo ls /root
Desktop Documents Downloads Music Pictures Public Templates Videos
You should excecute this comand as your normal user, not user ‘root’.
What is the out put of the ‘id’ command as normal user?
Probably you need to simply comment out the %wheel line in /etc/sudoers.
The hashtag is a comment here right?
~ ❯❯❯ sudo ls /root
Desktop Documents Downloads Music Pictures Public Templates Videos
~ ❯❯❯ id
uid=1000(laura) gid=1000(laura) groups=1000(laura),3(sys),982(rfkill),998(wheel)
1 Like
I do not get it.
Your sudo has no NOPASSWD anywhere. And I dont see any wrong group memberships with the id command.
The command
sudo ls /root
should have asked your user laura for a password. Weird.
In some installations there’s also a subdir /etc/sudoers.d to check.
I remember back when I accidentally reset /etc/passwd the behaviour went back to normal. Could it be something from here?
~ ❯❯❯ cat /etc/passwd | sed "s/\(\:.*\)//"
root
bin
daemon
mail
ftp
http
nobody
dbus
systemd-coredump
systemd-network
systemd-oom
systemd-journal-remote
systemd-journal-upload
systemd-resolve
systemd-timesync
tss
uuidd
avahi
named
dnsmasq
fwupd
git
nm-openconnect
nm-openvpn
ntp
openvpn
polkitd
rpc
rpcuser
rtkit
sddm
usbmux
laura
_talkd
passim
geoclue
nvidia-persistenced
dhcpcd
libvirt-qemu
qemu
saned
alpm
tor
invidious
Is it working now like you wanted?
Does not ask if sudo was already used within the time limit in this terminal session. But when a new terminal session is started, it should ask password for sudo.
Oh I mean to say that via the grep, the line is already commented because of the hashtag.
It doesn’t ask me for password even on a new konsole instance.
Did you reboot after the commenting out?
Via this output, the line with NOPASSWD already started with a hashtag, so there was nothing to change.
Sorry, I must have something in my eyes…
Is there a set of non-essential things I can temporarily remove from my /etc/passwd to see if terminal sudo begins requiring password again?
Check the output of sudo -l, and share in the thread if there are no sensitive details.
That’s an interesting clue. Perhaps your user belongs to a group which provides this privilege.
Do you have any custom rules in /etc/polkit-1/rules.d/, or any other polkit directories? Have you made any changes to /etc/pam.d/sudo or /etc/pam.d/system-auth?
1 Like
~ ❯❯❯ sudo -l
Matching Defaults entries for laura on pigeon:
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/bin
Runas and Command-specific defaults for laura:
Defaults!/usr/bin/visudo env_keep+="SUDO_EDITOR EDITOR VISUAL"
User laura may run the following commands on pigeon:
(ALL) ALL
Nothing in /etc/polkit-1/rules.d/ or else in /etc/polkit-1/.
~ ❯❯❯ cat /etc/pam.d/sudo
#%PAM-1.0
auth include system-auth
account include system-auth
session include system-auth
~ ❯❯❯ cat /etc/pam.d/system-auth
#%PAM-1.0
auth required pam_faillock.so preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
-auth [success=2 default=ignore] pam_systemd_home.so
auth [success=1 default=bad] pam_unix.so try_first_pass nullok
auth [default=die] pam_faillock.so authfail
auth optional pam_permit.so
auth required pam_env.so
auth required pam_faillock.so authsucc
# If you drop the above call to pam_faillock.so the lock will be done also
# on non-consecutive authentication failures.
-account [success=1 default=ignore] pam_systemd_home.so
account required pam_unix.so
account optional pam_permit.so
account required pam_time.so
-password [success=1 default=ignore] pam_systemd_home.so
password required pam_unix.so try_first_pass nullok shadow
password optional pam_permit.so
-session optional pam_systemd_home.so
session required pam_limits.so
session required pam_unix.so
session optional pam_permit.so
create a file in /etc/sudoers.d/
# file 100-laura
laura ALL=(ALL) NOPASSWD:ALL
Still have to use sudo, but no password - is this what you want?
I want the opposite-- this is the effect I have and I can’t figure out how to reverse it.
Well instead of NOPASSWD, you could create a file with a definition of PASSWD for your userid, though sudo doesn’t just make up the configuration (even for root), so you are defined as NOPASSWD somewhere in your world and it will depend on which is parsed first whether you can override it.