How to run sudo without password prompt + target user environment

Hi,

Apologies if this is wrong section to post.

One of my machines that are running Ubuntu 20.04.5 LTS, I'm user1 and need to run a script as user2 and there must NOT be any password prompt.

Added below line to sudoers (using visudo of course)

user1 ALL=(user2) NOPASSWD: /usr/local/bin/script.sh

and then I ran the below command as user1

sudo -u user2 /usr/local/bin/script.sh

it runs but a part of actual execution fails as user2 's environment is NOT set.
Hence tried below -

sudo -i -u user2 /usr/local/bin/script.sh

But it asks for password, if I type in the password then the script runs just fine but the problem is that it prompts for password which is a problem for automation. So my query is how could I run sudo -i without password prompt.

I think one way is to set user2's environment into the script itself but not sure which environment variables I need to set and also anything else that might be needed.

Appreciate any help

You are correct that the issue is that the environment variables for user2 are not set when running the script with sudo -u user2. To run the script as user2 with their environment variables set, you can use the sudo -i -u user2 command, but this prompts for a password.

One solution would be to use the sudo -n option, which allows you to run a command with elevated privileges without being prompted for a password. So you can use the command sudo -n -i -u user2 /usr/local/bin/script.sh to run the script as user2 with their environment variables set, without being prompted for a password.

Another solution would be to set the needed environment variables in the script itself, by using the export command. You can use the printenv command to see all the environment variables for user2, and then set them in the script using the export command.

You also need to make sure that user1 has the permissions to run the script in the first place.

If you want to avoid using the sudo command altogether, you could also give user1 the necessary permissions to run the script as user2 without using sudo. This can be done by adding user1 to the same group as user2 or by changing the ownership and permissions of the script to allow user1 to execute it.

Thanks chatgpt for the reply.

sudo -n -i -u is not a solution as it throws sudo: a password is required error and exits silently.

From sudo man page -

-n, --non-interactive
                 Avoid prompting the user for input of any kind.  If a
                 password is required for the command to run, sudo will
                 display an error message and exit.

Looks like setting environment variables in the script itself is the only option but updating script is my last option, looking for a better/alt solution.

I have seen
sudo -iu username command
running without prompting for a password. Do you have any additional options/tags/flags set in the sudoers?

Maybe that's because it was run within 15 minutes of entering sudo password?

My sudoers file -

root@Test1:/etc# grep -v "^#" /etc/sudoers | grep -v "^$"
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
root    ALL=(ALL:ALL) ALL
%admin ALL=(ALL) ALL
%sudo  ALL=(ALL) NOPASSWD: ALL
user1 ALL=(user2) NOPASSWD: /usr/local/bin/script.sh
root@Test1:/etc#

Please show the output of
egrep "^[^#]|^#include" /etc/sudoers
Are there any included rules that conflict?

Thank you for your reply.

root@Test:~#
root@Test:~# egrep "^[^#]|^#include" /etc/sudoers
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
root    ALL=(ALL:ALL) ALL
%admin ALL=(ALL) ALL
%sudo  ALL=(ALL) NOPASSWD: ALL
user1 ALL=(user2) NOPASSWD: /usr/local/bin/script.sh
#includedir /etc/sudoers.d
root@Test:~#
root@Test:~# ls /etc/sudoers.d
README
root@Test:~#
root@Test:~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 20.04.5 LTS
Release:        20.04
Codename:       focal
root@Test:~#

I don't think there' re any conflicting rules. Didn't modify much of any sudoers other than this one entry.

1. ^# ↩︎

Maybe try something like this in sudoers:

username ALL=(ALL) NOPASSWD: /path/to/command

Modify the username and the path to command, but leave ALL=(ALL) NOPASSWD:

Hi Neo, hope you are doing well

Sorry, no change in behavior with ALL=(ALL) NOPASSWD:

Hi @magnus29,

when using -i, the target user's login shell is invoked (so potential .bashrc, .profile etc. are sourced) in order to execute the given command. So you have to allow the full command line in the sudoers file:

user1 ALL=(user2) NOPASSWD: <user2's_login_shell> -c /path/to/command

, /path/to/command must be appended to make it also work without -i (maybe wildcards can be used in order to eliminate this redundancy).
Normally, the login shell is one of /bin/{bash,ksh,dash,sh}. You can find it via getent passwd user2 | cut -d: -f7.

For debugging sudo, you can comment out the last 2 entries in /etc/sudo.conf:

Debug sudo /var/log/sudo_debug all@debug
Debug sudoers.so /var/log/sudoers_debug all@debug

And/Or, more simply, grep sudo /var/log/auth.log as root.

Do you have a special setting in any /etc/pam.d/*login* file that enforces a password? (Maybe a nullok omitted that is normally there?)

Yes, well, this is Ubuntu 20.04.5 LTS so I think this is different to most.

I think @neo is nearly correct except this has to go into a user specific file in:

/etc/sudoers.d/

folder.

Read this:

Please post back if that works or not.

Thank you everyone, really overwhelmed with how many came forward to help me

@ bendingrodriguez solution worked for me.

Not necessarily. Shorter files in /etc/<whatever>.d/ get things way better organized and easier to mantain, automate, and so on. But are not mandatory.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.