Sudon’t

How do you get your computer to make you a sandwich? Sudo!

Let’s say you have a special high-privilege user account that you allow to run a few commands without passwords.

Example

Your devops deployment job requires sudo whoami. Your sudo configuration is:

deployer ALL=(ALL) NOPASSWD: /usr/bin/whoami

Let’s give it a try

$ sudo /usr/bin/whoami
[sudo] password for deployer:

That’s a problem. You don’t want a password prompt here!

Y U No meme guy

Sudo, Y U No?

Do not despair! Sudo includes a command line option to tell you your privileges.

$ sudo -l
Matching Defaults entries for deployer on ubuntu-bionic:
    env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
User deployer may run the following commands on ubuntu-bionic:
    (ALL) NOPASSWD: /usr/bin/whoami
    (ALL) /usr/bin/whoami

Specifically look at those two /usr/bin/whoami entries. The bottom one wins! That means sudo thinks that deployer should give it a password. Thanks, sudo!

Where are the configurations for those two entries?

# grep -r deployer /etc/sudoers*
/etc/sudoers.d/00deployer:deployer ALL=(ALL) NOPASSWD: /usr/bin/whoami
/etc/sudoers.d/deployer:deployer ALL=(ALL) /usr/bin/whoami

We have found the problem: two overlapping sudoers files.

I’ll Fix It

You can either remove the redundant deployer file, or re-order both files. Sudo is reading them in “lexical” order, so 00deployer comes before deployer. Counter-intuitively, that means deployer wins!

I have removed the second file with rm /etc/sudoers.d/deployer, and I am trying again.

$ sudo /usr/bin/whoami
root

Success!