# Using sudo Without a Password in Linux `sudo apt update` `sudo systemctl restart nginx` `sudo reboot` If you're a [[Linux]] user, you probably find yourself using `sudo` frequently. But typing your password every single time can quickly become a nuisance. When that annoyance reaches its peak, you'll eventually decide to configure `sudo` to stop asking for your password. If you've found this article, you're likely feeling the same way I did. In this post, I'll outline how to eliminate the need for `sudo` password entry. ![Linux Security with Tux and Key](/media/whitedec/blog_img/vaBoSfdn.webp) ## Where is the sudo Configuration? And How to Modify It? The primary configuration file for `sudo` is located here: `/etc/sudoers` Incorrect `sudo` configurations can be quite problematic. If you make a mistake, `sudo` itself might become unusable, making recovery a hassle. That's why we use the dedicated command `visudo`. ```bash sudo visudo ``` `visudo` performs a syntax check when you save and immediately notifies you of any errors. Even the official manual strongly recommends using `visudo`. ## But Let's Not Directly Edit /etc/sudoers If you type `sudo visudo`, `/etc/sudoers` will open directly, allowing immediate modification. However, it's generally not a good practice to open and edit the `/etc/sudoers` file directly. I usually prefer to leave the main configuration file untouched and create new files within the `/etc/sudoers.d/` directory instead. This makes it easier to find what changes I've made later and simplifies reverting them. `sudo` is designed to include additional configurations from files stored in the directory below. You'll actually see `include /etc/sudoers.d/` at the very end of the `/etc/sudoers` file. ```bash sudo visudo -f /etc/sudoers.d/no-password-common-commands ``` You can choose any filename that makes it easy to identify later. Just don't name it too carelessly; you'll regret it when you look at it later. Oh, and as a side note, filenames containing `~` and `.` are ignored by `sudoers`. This information is typically found in a comment within the README file in the directory. ## Let's Understand the Configuration Format The `sudoers` configuration generally follows this format: It's truly... a syntax that's hard to memorize. Just write it down somewhere or bookmark this blog page. You don't use it often, but when you do, you'll probably forget it. ```bash username HOST=(RUNAS_USER) OPTIONS: COMMAND ``` For example, if your username is `potter` and you want to run `apt update` without a password, you can write it like this: ```bash potter ALL=(ALL) NOPASSWD: /usr/bin/apt ``` Breaking down each part: * `potter`: The username to which the setting applies. * `ALL`: Applies to all hosts. * `(ALL)`: Specifies which user's permissions can be used to execute the command. I've sometimes seen people use `(root)`. I stick with `ALL`. * `NOPASSWD`: Do not prompt for a password. * `/usr/bin/apt`: The "absolute path" of the command to be allowed. If you're unsure about the command's path, you can check it with `which`. ```bash ~$which apt /usr/bin/apt ~$which apt-get /usr/bin/apt-get ~$which reboot /usr/sbin/reboot ~$which systemctl /usr/bin/systemctl ``` ## The Temptation to Open Everything with ALL Here comes a very strong temptation: ```bash potter ALL=(ALL) NOPASSWD: ALL ``` It's incredibly clean. All `sudo` commands run without a password. It's convenient, perhaps too convenient. While it's ultimately your choice, I believe it's better to resist this temptation. I dread imagining a scenario where a single mistyped command immediately executes with root privileges. If a script goes awry, there's no final safeguard of a password prompt. If someone accesses your open terminal, it's game over. There are many strange people in the world... The choice is yours. ## Allowing Only Frequently Used Commands Without a Password I compromise by "only unlocking what I use frequently." This approach works quite well. For instance, let's say you only want to use `apt`, `apt-get`, `reboot`, and `systemctl` without a password. First, open the configuration file: ```bash sudo visudo -f /etc/sudoers.d/no-password-common-commands ``` Then, add the following: ```ini potter ALL=(ALL) NOPASSWD: /usr/bin/apt, /usr/bin/apt-get, /usr/sbin/reboot, /usr/bin/systemctl ``` Now, `potter` can execute the following commands without a password: ```bash sudo apt update sudo apt -y upgrade sudo apt-get update sudo reboot sudo systemctl reload nginx ``` If allowing all `systemctl` commands feels too broad, you can permit specific commands only: ```bash potter ALL=(ALL) NOPASSWD: /usr/bin/systemctl reload nginx, /usr/bin/systemctl status nginx ``` ## Using Multiple Lines for Better Readability When you have many commands, a single line can become messy. In such cases, you can break lines using `\`. This is a common and familiar line break for Linux users, yet for some reason, when it comes to actually using it, people often forget `\`. However, using it definitely improves readability. ```bash potter ALL=(ALL) NOPASSWD: \ /usr/bin/apt, \ /usr/bin/apt-get, \ /usr/sbin/reboot, \ /usr/bin/systemctl ``` This looks much cleaner and more organized. ## Applying to a Specific Group This configuration is also quite useful. On servers managed by multiple people, using group-based permissions can be more convenient. If you want to apply settings only to a specific group, use the `%groupname` format. For example, for the `admin` group, it would look like this: ```bash %admin ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart nginx, /usr/bin/apt, /usr/bin/apt-get ``` ## Extending the Password Prompt Timeout If completely removing the password feels uneasy, there's another option: adjusting the password re-prompt time. By default, after entering your password once, `sudo` won't ask for it again for about 10 or 15 minutes. You can modify this duration. This is done using the `timestamp_timeout` setting. For example, setting it like this will prevent `sudo` from asking for a password for 60 minutes: ```bash Defaults timestamp_timeout=60 ``` The unit is "minutes," but setting it to '0' will result in the nightmare of always having to enter your password. Setting it to '-1' means `sudo` won't ask for the password again until you close the terminal. This offers a powerful level of convenience, almost on par with `ALL`, but it might still leave you feeling a bit uneasy. Of course, these settings — allowing commands without a password and extending the timeout — can coexist. For instance, you can combine them like this: ```bash Defaults timestamp_timeout=30 potter ALL=(ALL) NOPASSWD: /usr/bin/apt, /usr/bin/apt-get, /usr/sbin/reboot ``` This configuration allows frequently used commands without a password, while other `sudo` commands only require authentication once every 30 minutes. I believe this strikes a good balance between convenience and security. It's great to reduce annoyance, but I wouldn't want to increase insecurity as a trade-off. ## Conclusion Eliminating `sudo` password prompts isn't difficult. While the explanation above was lengthy, here's a brief summary: 1. Create a separate configuration file under `/etc/sudoers.d/` using `visudo`. ```bash sudo visudo -f /etc/sudoers.d/no-password-common-commands ``` 2. Add the `NOPASSWD` rule. ```ini Defaults timestamp_timeout=30 potter ALL=(ALL) NOPASSWD: \ /usr/bin/apt, \ /usr/bin/apt-get, \ /usr/sbin/reboot ``` How much password access you open up is a personal judgment, but I hope you remember this: > True convenience is achieved when both the comfort of your fingers and the peace of your mind are simultaneously satisfied.