I have some automated tools that need to be able to run as a specific user. The username is "ig_root" and it is only used by a monitoring tool (checks disk space, database, CPU workload, etc) that sends us warnings when something may need human intervention.
What we need to be able to do is to issue a sudo command to run things as the ig_root user. I have my "invadm" account that is a member of sudo group, and it can "sudo su - root", but it prompts for a password. What I need to set up is to be able to do something similar for a non-root user but that does NOT prompt for the password.
In other words, as "invadm" user we want to do this:
# sudo -u ig_root check_dbspace
...without seeing this:
[sudo] password for invadm:
But I also want conecting to root to still require the password entry for everyone:
# sudo su - root
[sudo] password for invadm:
Is that possible?
My current visudo entries look like this on my test server:
# User privilege specification
root ALL=(ALL:ALL) ALL
invadm ALL=(ig_root) NOPASSWD: ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
Any ideas as to what I'm missing? I thought maybe I have to issue the systemctl and stop/restart something, but I learned that there is no sudo daemon to restart. I also tried logging out and back in to pick up any new environment... no luck.
Right now, the only account that sudo does not ask for a password is when I'm root user.
# sudo -u ig_root whoami
ig_root
I think the problem is that when several entries match for the same user, the last match is used. Since
invadmis in group sudo the%sudoentry applies, hence the request for a password.Simply move your specific rules to the end of the file.