I would like to set a specific command to not require sudo privileges, is there a way to accomplish this? I know you can add commands to the sudoer file to allow certain commands to be used by non root accounts, so maybe there is something similar for adding commands to allow regular users to use?
What do you mean by “not require sudo privileges”?
Do you mean not require root permissions? that depends on what are you trying to do. You’ll need to make changes in your system to allow normal users to have permissions for it, and in many cases that’s not possible (or very safe).
If what you mean is that you don’t want to need to type"sudo" every time, but still be able to have the commands run with root permissions, then there’s multiple ways to do this:
-
Add an alias such as
alias command='sudo command'. If you don’t want to type the password, you can change the sudores file so that your user doesn’t need to enter a password when running sudo for that command (someone else in the comments already explained how to do that, using an entry withNOPASSWD: /usr/bin/commandin the sudoers config). -
alternatively: set the SUID bit of the executable you want to run, so that every time the file is executed (by anyone) it will always execute as the user who owns the file (so if the owner is root, the file will always be executed as root)… this is not something I’d recommend though, since it can lead to security vulnerabilities.
since it can lead to security vulnerabilities.
Most software isn’t written to be hardened for that kind of invocation.
Also, IIRC you can also do the same thing with the sgid bit.
goes to check
Yeah.
$ mkdir test $ cd test $ cp /bin/id ./ $ ls -ln id -rwxr-xr-x 1 1000 1000 48144 Jun 6 10:56 id $ ./id -g 1000 $ sudo chgrp 1001 id $ sudo chmod g+s id $ ./id -g 1001 $ ./id -gr 1000 $True, SGID would affect the group it runs as, while SUID affects the user.
You could set up things so that a group has permissions to do what you want, instead of the root user. But then this also depends on the usecase, I’m not sure if having root group permissions would be enough in all cases.
Thank you both
-
You can change the permission of the files that are used to execute, and you can change permission of the files that are being touched.
But probably the easiest solution would be to create an alias to the command that uses sudo transparent to the user, while also adding the permission to sudo without password in the sudoers file.
You can do that in the sudoers file. I don’t know how exactly, but that won’t be too hard to search for.
Thank you
So, you mean that you want specific users who don’t have “sudo” in their list of supplemental groups in /etc/group to also be able to invoke specific commands with
sudo, but not arbitrary ones? Sure, you can do that.The line in /etc/sudoers in Debian that lets members of group “sudo” run arbitrary commands with “sudo” is this:
# Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALLBut you can have individual users in there too. Here’s an example of setting a specific user to being able to run the
whoamicommand andaptcommand as root, without requiring a password to do so:https://www.baeldung.com/linux/sudo-privileges-user
baeldung ALL=(ALL) NOPASSWD: /usr/bin/apt, /usr/bin/whoamiIf you’re gonna modify /etc/sudoers, though, use
visudoto do so:$ sudo visudoWell my other comement saying this is exactly what i need did not get posted as a reply to your comment, my mistake. I followed rhe example for “/usr/bin/wg/” intending to be able to use
wg showbut it still requires sudo. I tried rebooting and nothing changed, any ideas? I did
type -a wgto get the command location for the sudoer file.
Well my other comement saying this is exactly what i need did not get posted as a reply to your comment, my mistake.
What the line I listed will do will let a specific user have permission to use sudo without a password to run
wgas root without a password. So they (and not other users) can type:$ sudo wgAnd the command will run as the root user, without them being prompted to enter a password.
It doesn’t mean that when that user runs:
$ wgIn their shell, what will actually run is:
$ sudo wgIf you also want to avoid typing the extra characters, you can set up an alias in your shell.
I don’t know what shell you’re using, but most Linux systems use
bashas a default:$ ps PID TTY TIME CMD 1413558 pts/3 00:00:00 bash 1413640 pts/3 00:00:00 ps $If you’re using bash, you can tell your current bash shell invocation to do that with the
aliascommand:$ wg Unable to access interface wg0: Operation not permitted $ alias wg='sudo wg' $ wg interface: wg0...If you want that command run in every bash shell you invoke, you can do so by editing
~/.bashrcand adding the line:alias wg='sudo wg'Awesome now I understand what you and the other commenter were talking about with aliasing. Well this works perfect without the alias, many thanks
This does seem to be exactly what i am looking for. I implemented this and tested it and the command still isn’t working yet but i will keep troubleshooting, its probably a silly quirk on my end. Thank you very much!
