... but still be required for applications that need admin privilegies?
In order to allow the following:
$ apache2ctl restart
httpd not running, trying to start
(13)Permission denied: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
Unable to open logs
$ sudo !!
sudo apache2ctl restart #no password asked
$ #works!
For reference I've seen this setup on amazon's e3 instances
Any idea?
You need to edit the sudoers file. Be advised that success gives you a less secure system and failure can break sudo. ALWAYS edit the sudoers file with
sudo visudo, as visudo checks for errors and will not save the file if any are found.It's a bad idea to give everything permission to run as root without a password, so to just let through the one executable you need(apache2ctl); append the following to the very bottom of the file:
You can replace the path to an executable with "ALL" if you choose, giving you complete passwordless sudo.
Replace YOURNAME with your username and press Ctrl + X to save and exit. If an error occurred, it will offer to revert, edit, or save anyway.
Be sure that you use the full path to an executable:
ie.
/usr/bin/apache2ctlinstead of justapache2ctl. This is important because without explicitly stating the path sudo will allow any program named apachectl on the user's current path to run as root.The real answer to this question can be complicated because sudo is very powerful, and can be configured to do cool things. This is thoroughly explained in the documentation.
The short answer is run
sudo visudoin a terminal. If this is the first time that you have run visudo, it will ask you which editor you prefer. nano is generally thought to be the easiest to use, but pick the editor you are most comfortable/familiar with. You will need to decide who you want to give access to; it could beALLfor everyone (a very bad idea), a user, or a system group. Groups are prefixed with a % sign. For example, if you wanted to give everyone in thesteroid_usersgroup root privileges without the need for a password for all commands you would add:to the end of the file, exit, and save the file. If all goes well, and you are a member of the steroid_users group, you will be able to issue
sudo *some-command*without the bother of needing to enter your password.Keep in mind that anyone who has access to your terminal while you are logged in -- or if you have ssh setup for key-based auth, or (even worse) have enabled password free session logins -- complete and unfettered access to your entire system. If you have multiple users on your system, or if this is a file server, all users files could be at risk as root can do anything!
Also, if you make a mistake, visudo will output and error message and not save changes to the file. This will help prevent breaking sudo completely. You should really read the documentation. Sudo is designed to give users just enough access to do their job without the need to expose your entire system. It may be advantageous to only give password free access for certain commands.
I hope this helps.
You'll need to edit '/etc/sudoers' file (there is 'visudo' command for that.) to add NOPASSWD prior to list of allowed commands for Your user or group. If Your user is in 'admin' group - You need following:
Check https://help.ubuntu.com/community/Sudoers , btw.
You COULD add the nopasswd flag to the user list but that does not eliminate all passwords asked questions. Only the first one will be asked.
sudo visudo(You HAVE TO use sudo. This is an admin file.)cyrex ALL = NOPASSWD: ALLorcyrex ALL = (ALL) NOPASSWD: ALLor
I guess this would do it.
But be careful with removing passwords for sudo.
Now for the simple answer! No possible way to mess anything up or fudge your install up.
Just enter your password a couple times and then you'll never have to enter it again! This will allow you to add a local admin account to the group "root" which is then un-commented from a template which will allow the entire group "root" superuser privileges. You can read my security concern/solution for this procedure at the later part of this post.
%username& is the global variable for your username(replace it with desired username)
Step 1: Open up a terminal window and then type "
sudo usermod -a -G root %username%"Step 2: Then copy/paste this...
Step 2 OR type
Goto line 19 and remove the "#" before
# auth sufficient pam_wheel.so trust(may be a different line number for some)*The first command adds your %username% to the group "root"
The second/third commands allows all members of group "root" to be superuser without a password, versus only allowing the user "root" su privileges for authentications.
Endnote:
Don't mess around with
/etc/sudoers... There are a lot of checks/balances that 'su' authentication must go through. Superuser authentication uses the same pam.d procedure as all other login authentications. "/etc/security/access.conf" has the layout for access control via tcp/ip(192.168.0.1) communication and through telnet services (tty1&tty2&tty3...etc) This allows more precise filtering per application via transport protocol. If safety is your concern, then your concern should be directed towards remote/code threats versus someone actually touching your computer when you leave the room!!!Food for paranoia(dont type this one in just review it):
^ This blocks access to console for anyone who is not a member of system or root. Sometimes programs install usernames/groups that are exploited!