[SOLVED] nopasswd in /etc/sudoers

[charlie205]

I want to run the command nmap from within a shell script driven by cron. Nmap requires root privileges which means my non-root user account normally requires sudo to run it. In this case the command is running inside a script and therefore it is not possible to supply the required password. I've modified the file /etc/sudoers in an attempt to address this issue. Here's what I've done:

$ sudo visudo -f /etc/sudoers

then I modified the contents of the file as follows:


...
# User privilege specification
root ALL = (ALL) ALL
charlie ALL = (ALL) ALL
charlie ALL = (root) NOPASSWD: /usr/bin/nmap


Then I saved and quit the file. At this point I expected to be able to run the command nmap without being promted for a password, but that did not happen. It seems to have had no effect.

What am I missing?

[tpl]

run as root: whynot?

[charlie205]

run as root: whynot?

security

Also, that doesn't address the question. Running the script as root would enable the function of the script, but it is only a work-around to the problem.

[tlarkin]

I am just starting to get a grasp of shell scripting. So my advice while it may be valid, may not be the best information.

In the script you would first run the command whoami and toss it in an if then statement. If whoami = root then execute command, else run command sudo -s, or su root.

Now the down side to this is that it will probably ask for authentication and you could put the password in your script but it will be stored there in plain text.

The other way to do it, is just have it owned by root:wheel, toss it in your $PATH, make it executable, then have cron run it as an automated task.

[charlie205]

In the script you would first run the command whoami and toss it in an if then statement. If whoami = root then execute command, else run command sudo -s, or su root.

Thanks for the response, but running it as root is not an option for security reasons (as I sated above). I will always be running this via cron as a local user account. The problem is configuring /etc/sudoers so that the command does not request a password (because a password request is interactive and shell scripts are not, of course).

[tlarkin]

Thanks for the response, but running it as root is not an option for security reasons (as I sated above). I will always be running this via cron as a local user account. The problem is configuring /etc/sudoers so that the command does not request a password (because a password request is interactive and shell scripts are not, of course).

If you make it a launch agent owned by root it should not need sudo in front of it. When I write shell scripts at work I run them as root, though I am doing this on Unix and OS X servers/boxes and not Linux ones.

There has to be a way to make it a root level daemon and then have it execute at interval and out put a log file. Another option would be to make it interactive but that defeats the purpose of having it automated.

Oh, wait, so you don't want it running as root, but you just want it to run with no authentication. Editing the /etc/sudoers will work, but I haven't personally done that before.

You may have to use UID or something besides the short name in the file. Once in terminal do a sudo nano /etc/sudoers

Add in this line:

Code:

your_short_name ALL=(ALL) ALL NOPASSWD

You may need to google if my syntax is right because I haven't really done this before. Back up the file too before you edit it.

[charlie205]

Oh, wait, so you don't want it running as root, but you just want it to run with no authentication. Editing the /etc/sudoers will work, but I haven't personally done that before.

You may have to use UID or something besides the short name in the file. Once in terminal do a sudo nano /etc/sudoers

Add in this line:

Code:

your_short_name ALL=(ALL) ALL NOPASSWD

You may need to google if my syntax is right because I haven't really done this before. Back up the file too before you edit it.

Right, this is exactly my question (namely, what is the proper syntax). I went through the same thought process as you did and I can't find the proper syntax - hence this thread. Check out my initial post and you will see the modification I did to /etc/sudoers.

[charlie205]

A friend of mine gave me the answer:

The syntax I posted in the initial comment was correct. The problem was the order of the statements. Specifically all users related statements such as:

#User privilege specification
root ALL = (ALL) ALL
charlie hostname = /usr/bin/nmap

must be AFTER the line that looks like this:

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL


This is the specific solution for my problem. The key here is that order is important. You can get very granular with this file so the man page is important. A good rule of thumb might be that "user specific stuff should go at the bottom". This is just a rule of thumb, it won't solve every problem, but it's a good start for my issue.

Thanks for all the suggestions!