Using sudo Without a Password in Linux

sudo apt update sudo systemctl restart nginx sudo reboot

If you're a Linux user, you probably find yourself using sudo frequently. But typing your password every single time can quickly become a nuisance.

When that annoyance reaches its peak, you'll eventually decide to configure sudo to stop asking for your password. If you've found this article, you're likely feeling the same way I did.

In this post, I'll outline how to eliminate the need for sudo password entry.

Linux Security with Tux and Key

Where is the sudo Configuration? And How to Modify It?

The primary configuration file for sudo is located here:

/etc/sudoers

Incorrect sudo configurations can be quite problematic. If you make a mistake, sudo itself might become unusable, making recovery a hassle. That's why we use the dedicated command visudo.

sudo visudo

visudo performs a syntax check when you save and immediately notifies you of any errors. Even the official manual strongly recommends using visudo.

But Let's Not Directly Edit /etc/sudoers

If you type sudo visudo, /etc/sudoers will open directly, allowing immediate modification.

However, it's generally not a good practice to open and edit the /etc/sudoers file directly.

I usually prefer to leave the main configuration file untouched and create new files within the /etc/sudoers.d/ directory instead.

This makes it easier to find what changes I've made later and simplifies reverting them.

sudo is designed to include additional configurations from files stored in the directory below.

You'll actually see include /etc/sudoers.d/ at the very end of the /etc/sudoers file.

sudo visudo -f /etc/sudoers.d/no-password-common-commands

You can choose any filename that makes it easy to identify later.

Just don't name it too carelessly; you'll regret it when you look at it later.

Oh, and as a side note, filenames containing ~ and . are ignored by sudoers. This information is typically found in a comment within the README file in the directory.

Let's Understand the Configuration Format

The sudoers configuration generally follows this format:

It's truly... a syntax that's hard to memorize. Just write it down somewhere or bookmark this blog page.

You don't use it often, but when you do, you'll probably forget it.

username HOST=(RUNAS_USER) OPTIONS: COMMAND

For example, if your username is potter and you want to run apt update without a password, you can write it like this:

potter ALL=(ALL) NOPASSWD: /usr/bin/apt

Breaking down each part:

  • potter: The username to which the setting applies.
  • ALL: Applies to all hosts.
  • (ALL): Specifies which user's permissions can be used to execute the command. I've sometimes seen people use (root). I stick with ALL.
  • NOPASSWD: Do not prompt for a password.
  • /usr/bin/apt: The "absolute path" of the command to be allowed.

If you're unsure about the command's path, you can check it with which.

~$which apt
/usr/bin/apt

~$which apt-get
/usr/bin/apt-get

~$which reboot
/usr/sbin/reboot

~$which systemctl
/usr/bin/systemctl

The Temptation to Open Everything with ALL

Here comes a very strong temptation:

potter ALL=(ALL) NOPASSWD: ALL

It's incredibly clean. All sudo commands run without a password. It's convenient, perhaps too convenient.

While it's ultimately your choice, I believe it's better to resist this temptation. I dread imagining a scenario where a single mistyped command immediately executes with root privileges.

If a script goes awry, there's no final safeguard of a password prompt. If someone accesses your open terminal, it's game over. There are many strange people in the world...

The choice is yours.

Allowing Only Frequently Used Commands Without a Password

I compromise by "only unlocking what I use frequently." This approach works quite well.

For instance, let's say you only want to use apt, apt-get, reboot, and systemctl without a password.

First, open the configuration file:

sudo visudo -f /etc/sudoers.d/no-password-common-commands

Then, add the following:

potter ALL=(ALL) NOPASSWD: /usr/bin/apt, /usr/bin/apt-get, /usr/sbin/reboot, /usr/bin/systemctl

Now, potter can execute the following commands without a password:

sudo apt update
sudo apt -y upgrade
sudo apt-get update
sudo reboot
sudo systemctl reload nginx

If allowing all systemctl commands feels too broad, you can permit specific commands only:

potter ALL=(ALL) NOPASSWD: /usr/bin/systemctl reload nginx, /usr/bin/systemctl status nginx

Using Multiple Lines for Better Readability

When you have many commands, a single line can become messy. In such cases, you can break lines using \.

This is a common and familiar line break for Linux users, yet for some reason, when it comes to actually using it, people often forget \.

However, using it definitely improves readability.

potter ALL=(ALL) NOPASSWD: \
    /usr/bin/apt, \
    /usr/bin/apt-get, \
    /usr/sbin/reboot, \
    /usr/bin/systemctl

This looks much cleaner and more organized.

Applying to a Specific Group

This configuration is also quite useful. On servers managed by multiple people, using group-based permissions can be more convenient.

If you want to apply settings only to a specific group, use the %groupname format.

For example, for the admin group, it would look like this:

%admin ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart nginx, /usr/bin/apt, /usr/bin/apt-get

Extending the Password Prompt Timeout

If completely removing the password feels uneasy, there's another option: adjusting the password re-prompt time.

By default, after entering your password once, sudo won't ask for it again for about 10 or 15 minutes. You can modify this duration.

This is done using the timestamp_timeout setting.

For example, setting it like this will prevent sudo from asking for a password for 60 minutes:

Defaults timestamp_timeout=60

The unit is "minutes," but setting it to '0' will result in the nightmare of always having to enter your password.

Setting it to '-1' means sudo won't ask for the password again until you close the terminal. This offers a powerful level of convenience, almost on par with ALL, but it might still leave you feeling a bit uneasy.

Of course, these settings — allowing commands without a password and extending the timeout — can coexist.

For instance, you can combine them like this:

Defaults timestamp_timeout=30

potter ALL=(ALL) NOPASSWD: /usr/bin/apt, /usr/bin/apt-get, /usr/sbin/reboot

This configuration allows frequently used commands without a password, while other sudo commands only require authentication once every 30 minutes.

I believe this strikes a good balance between convenience and security.

It's great to reduce annoyance, but I wouldn't want to increase insecurity as a trade-off.

Conclusion

Eliminating sudo password prompts isn't difficult.

While the explanation above was lengthy, here's a brief summary:

  1. Create a separate configuration file under /etc/sudoers.d/ using visudo.
sudo visudo -f /etc/sudoers.d/no-password-common-commands
  1. Add the NOPASSWD rule.
Defaults timestamp_timeout=30

potter ALL=(ALL) NOPASSWD: \
    /usr/bin/apt, \
    /usr/bin/apt-get, \
    /usr/sbin/reboot

How much password access you open up is a personal judgment, but I hope you remember this:

True convenience is achieved when both the comfort of your fingers and the peace of your mind are simultaneously satisfied.