No password requirement for sudo for specific user

Years ago I made an undocumented change on my system wherein for my current user only, the sudo command doesn’t require a password. When something like kate needs root it still requires a password, but for commandline specifically it is skipped. I’d like to undo this change.
I’ve checked visudo and nothing seems out of place, my username isn’t anywhere and NOPASSWD is commented out. It has the line root ALL=(ALL:ALL) ALL. In /etc/sudoers.d/ is only 10-installer with %wheel ALL=(ALL) ALL.
What did I do and how can I undo it without just making a new user? I vaguely think it might have had something to do with /etc/passwd, but looking in there I can’t see what might have caused it.
Thanks.

That sounds weird. Lets be sure.
What does the command

sudo ls /root

say?

What is the output of

grep NOPASSWD /etc/sudoers /etc/sudoers.d/*

[root@pigeon laura]# grep NOPASSWD /etc/sudoers /etc/sudoers.d/*
/etc/sudoers:# %wheel ALL=(ALL:ALL) NOPASSWD: ALL
[root@pigeon laura]# sudo ls /root
Desktop  Documents  Downloads  Music  Pictures  Public  Templates  Videos

You should excecute this comand as your normal user, not user ‘root’.

What is the out put of the ‘id’ command as normal user?

Probably you need to simply comment out the %wheel line in /etc/sudoers.


The hashtag is a comment here right?

~ ❯❯❯ sudo ls /root
Desktop  Documents  Downloads  Music  Pictures  Public  Templates  Videos
~ ❯❯❯ id
uid=1000(laura) gid=1000(laura) groups=1000(laura),3(sys),982(rfkill),998(wheel)
1 Like

I do not get it.

Your sudo has no NOPASSWD anywhere. And I dont see any wrong group memberships with the id command.

The command

sudo ls /root

should have asked your user laura for a password. Weird.

In some installations there’s also a subdir /etc/sudoers.d to check.

I remember back when I accidentally reset /etc/passwd the behaviour went back to normal. Could it be something from here?

~ ❯❯❯ cat /etc/passwd | sed "s/\(\:.*\)//"
root
bin
daemon
mail
ftp
http
nobody
dbus
systemd-coredump
systemd-network
systemd-oom
systemd-journal-remote
systemd-journal-upload
systemd-resolve
systemd-timesync
tss
uuidd
avahi
named
dnsmasq
fwupd
git
nm-openconnect
nm-openvpn
ntp
openvpn
polkitd
rpc
rpcuser
rtkit
sddm
usbmux
laura
_talkd
passim
geoclue
nvidia-persistenced
dhcpcd
libvirt-qemu
qemu
saned
alpm
tor
invidious

Is it working now like you wanted?

Does not ask if sudo was already used within the time limit in this terminal session. But when a new terminal session is started, it should ask password for sudo.

Oh I mean to say that via the grep, the line is already commented because of the hashtag.

It doesn’t ask me for password even on a new konsole instance.

Did you reboot after the commenting out?

Via this output, the line with NOPASSWD already started with a hashtag, so there was nothing to change.

Sorry, I must have something in my eyes…

Is there a set of non-essential things I can temporarily remove from my /etc/passwd to see if terminal sudo begins requiring password again?

Check the output of sudo -l, and share in the thread if there are no sensitive details.

That’s an interesting clue. Perhaps your user belongs to a group which provides this privilege.

Do you have any custom rules in /etc/polkit-1/rules.d/, or any other polkit directories? Have you made any changes to /etc/pam.d/sudo or /etc/pam.d/system-auth?

1 Like
~ ❯❯❯ sudo -l
Matching Defaults entries for laura on pigeon:
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/bin

Runas and Command-specific defaults for laura:
    Defaults!/usr/bin/visudo env_keep+="SUDO_EDITOR EDITOR VISUAL"

User laura may run the following commands on pigeon:
    (ALL) ALL

Nothing in /etc/polkit-1/rules.d/ or else in /etc/polkit-1/.

~ ❯❯❯ cat /etc/pam.d/sudo
#%PAM-1.0
auth            include         system-auth
account         include         system-auth
session         include         system-auth
~ ❯❯❯ cat /etc/pam.d/system-auth 
#%PAM-1.0

auth       required                    pam_faillock.so      preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
-auth      [success=2 default=ignore]  pam_systemd_home.so
auth       [success=1 default=bad]     pam_unix.so          try_first_pass nullok
auth       [default=die]               pam_faillock.so      authfail
auth       optional                    pam_permit.so
auth       required                    pam_env.so
auth       required                    pam_faillock.so      authsucc
# If you drop the above call to pam_faillock.so the lock will be done also
# on non-consecutive authentication failures.

-account   [success=1 default=ignore]  pam_systemd_home.so
account    required                    pam_unix.so
account    optional                    pam_permit.so
account    required                    pam_time.so

-password  [success=1 default=ignore]  pam_systemd_home.so
password   required                    pam_unix.so          try_first_pass nullok shadow
password   optional                    pam_permit.so

-session   optional                    pam_systemd_home.so
session    required                    pam_limits.so
session    required                    pam_unix.so
session    optional                    pam_permit.so

create a file in /etc/sudoers.d/

# file 100-laura
laura ALL=(ALL) NOPASSWD:ALL

Still have to use sudo, but no password - is this what you want?

I want the opposite-- this is the effect I have and I can’t figure out how to reverse it.

Well instead of NOPASSWD, you could create a file with a definition of PASSWD for your userid, though sudo doesn’t just make up the configuration (even for root), so you are defined as NOPASSWD somewhere in your world and it will depend on which is parsed first whether you can override it.