Sudon’t
How do you get your computer to make you a sandwich? Sudo!
Let’s say you have a special high-privilege user account that you allow to run a few commands without passwords.
Example
Your devops deployment job requires sudo whoami. Your sudo configuration is:
deployer ALL=(ALL) NOPASSWD: /usr/bin/whoami
Let’s give it a try
$ sudo /usr/bin/whoami [sudo] password for deployer:
That’s a problem. You don’t want a password prompt here!
Sudo, Y U No?
Do not despair! Sudo includes a command line option to tell you your privileges.
$ sudo -l
Matching Defaults entries for deployer on ubuntu-bionic:
env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
User deployer may run the following commands on ubuntu-bionic:
(ALL) NOPASSWD: /usr/bin/whoami
(ALL) /usr/bin/whoamiSpecifically look at those two /usr/bin/whoami entries. The bottom one wins! That means sudo thinks that deployer should give it a password. Thanks, sudo!
Where are the configurations for those two entries?
# grep -r deployer /etc/sudoers* /etc/sudoers.d/00deployer:deployer ALL=(ALL) NOPASSWD: /usr/bin/whoami /etc/sudoers.d/deployer:deployer ALL=(ALL) /usr/bin/whoami
We have found the problem: two overlapping sudoers files.
I’ll Fix It
You can either remove the redundant deployer file, or re-order both files. Sudo is reading them in “lexical” order, so 00deployer comes before deployer. Counter-intuitively, that means deployer wins!
I have removed the second file with rm /etc/sudoers.d/deployer, and I am trying again.
$ sudo /usr/bin/whoami root
Success!