4

I want to implement a script to execute any command with root privileges, but without having to put any password. At the terminal I would like to see it like this:

./newsudo "comand with root privileges"

I think, the way to go would be to use the "comand with root privileges" as an argument inside the script with and exec or similar, to execute it.

The truth is, I'm very noob in all this area and I don't know where to start.

Thanks!!

muru
  • 197,895
  • 55
  • 485
  • 740
Binkpang34
  • 41
  • 1
  • 2
    Add the LIMITED list of commands you want to be able to run without passwords in the sudoers file: https://askubuntu.com/questions/159007/how-do-i-run-specific-sudo-commands-without-a-password – BlueCacti Oct 12 '16 at 15:32
  • 4
    Why would you want to have a different sudo? If you really don't care about security, just look up how to use sudo without a password. – TheWanderer Oct 12 '16 at 16:59
  • "The truth is, I'm very noob in all this area and I don't know where to start. " Then why do you doubt the default security settings of Ubuntu? If you want a root user install an operating system that uses root. – Rinzwind Oct 12 '16 at 18:15

2 Answers2

14

Create a generic command to run any (sub-) command as sudo, without password; is it possible?

Theoretically, what you ask is possible. Since it is possible to set an application in the sudoers file to run with arguments, we can make a command (script) to call, that runs with sudo, with the command in question as argument.

Should we do it?

NEVER, since it will break the principle of being an administrator. ANY malicious process could run code to destroy your system.

The bottom line is that I even won't post how to do that.

More do's and don'ts on running software without password

As mentioned by @Groundzero, you can add specific applications or scripts to the sudoers file, to run without password, as described here. However, keep in mind:

  • Do not add applications to the sudoers file which can be used to harm your system or do harmfull things in general. Especially if the application has extensive cli- options.
  • Do not store scripts to run with sudo (without password) in a location where they can be edited without administrator's privileges. A simple edit by anyone (or any process) can make it do anything.
Community
  • 1
Jacob Vlijm
  • 83,767
  • 2
    The first part of this is too meta to belong in an answer, consider omitting Is this question a duplicate? – cat Oct 12 '16 at 17:57
  • 1
    -1. "I even won't post how to do that." You've already made clear your position that this should never be done. Withholding the actual answer is not going to make this point any stronger. Good answers warn you against a certain action but then, in order to fill in the SE body of knowledge, still answer how to do such action. – Nacht Oct 12 '16 at 22:54
  • @cat removed the first section ^. If that was the reason for your downvote, please reconsider. – Jacob Vlijm Oct 13 '16 at 16:37
  • 1
    @JacobVlijm Well, I still agree with Nacht here -- information hiding doesn't mean OP or googlers won't do it, it just means they'll find the information elsewhere, so this answer is almost entirely junk with the single exception of that link, which is actually useful.

    It can be explained in a few words why one should take care in doing this, but I think that's all that's needed -- after all, people should research before they run commands and edit files they don't understand.

     – cat Oct 13 '16 at 18:16
3

Just make a sudo rule granting the commands in question to the desired user/group with NOPASSWD: in front of the command. You don't need a new script, just something like this to grant the ability to run anything as root to everyone in the admins group with no password required:

%admins ALL = NOPASSWD: ALL

In general, requiring passwords on extra dangerous commands is a good idea, but your security policy is yours. There was some (now deleted) discussion on how this is insecure, and I agree: it is dangerous. It's almost always a bad idea to say "this user can run anything as root without re-validating their identity occasionally."

There are other forums dedicated to security, though. If the legitimate goal is to run arbitrary commands as root with no password, the above is just about the safest way to do so. The caveat being that anyone implementing this needs to be aware of the risks, including "anyone who can run a command with this user's privileges is effectively root." That includes things like downloaded scripts and possibly even malicious web pages, if the browser has a security hole. The separation between "non-privileged user" and "root" is pretty much gone with a rule like this in place. Buyer beware. :)

dannysauer
  • 497