Allow sudo access without a password

I was shown this by a friend the other day. If you're not really paranoid, this is quite useful.

I use sudo quite a lot and get bored of typing my password in every time I use it. There is away around this, but only do this if no one else uses your machine or you don't leave your self logged in. Start a terminal and type:

 % sudo visudo

Now the only way to edit this file without playing around with chmod and so on is with visudo; this is a command used just to edit the /etc/sudoers file. It also does checks to make sure the formatting is correct. The following is the important part of the file. It basically says user 'root' can do all commands, group 'admin' can do all commands:

 # User privilege specification
 root    ALL=(ALL) ALL 
 %admin  ALL=(ALL) ALL

You need to change this so it has NOPASSWD: before the last "all" for the admin group, so it looks like this:

 # User privilege specification
 root    ALL=(ALL) ALL
 %admin  ALL=(ALL) NOPASSWD:ALL

You can also add you username to the file:

 # User privilege specification
 root    ALL=(ALL) ALL
 %admin  ALL=(ALL) ALL
 user_name  ALL=(ALL) NOPASSWD:ALL

Note: Those are tabs after the username and group name.

To write and save the file hit ESC (just to be safe) and then :wq, then hit Enter. This basically tells vi to write then quit; if you made an error in the file, it will tell you so and ask you want to do. If this happens, you should always revert and try again, it's a lot easier.

Of course you could always use "sudo tcsh" but I don't like being root when I'm playing around.

[Editor's note: visudo works like vi, so 'man vi' will explain how to use the editor. And please, take the security caution seriously. If someone else can get to your Mac, they will be able to execute commands as root without any authentication. Of course, once someone has physical access to the machine, most bets are off, but this makes it very easy for someone to do bad things to your machine if they so desire. Let me say it again ... this is a really bad thing to do from a security perspective! You'll need to decide if the risk is worth the few seconds of saved typing each time you sudo.]

From our Sponsor...

Hints by Topic

Allow sudo access without a password | 21 comments | Create New Account

Click here to return to the 'Allow sudo access without a password' hint

The following comments are owned by whoever posted them. This site is not responsible for what they say.

visudo
Authored by: lolopb on Dec 02, '02 10:24:46AM

Just a little thing, visudo calls your defalut editor, so, if you wrote :
setenv EDITOR [my editor, say pico]
in your .tcshrc, visudo will check if the editor is sudo compliant (pico is) and will launch it, so you don't have to learn vi to change sudo settings.

I agree, making these changes in sudo is DANGEROUS for security reasons !

OS 9 boot CD
Authored by: Johnny_B on Dec 02, '02 10:37:28AM

Put in your OS 9 boot CD, restart and push the "C" button while starting up. There is no such thing as security, the only security is to protect the HD, or to encrypt things. UNIX and privileges won't help you. You are being paranoid for no reason, if someone knows that there is such a thing as a terminal at the mac, they know about the OS 9 boot CD.

My fave...
Authored by: robg on Dec 02, '02 11:10:15AM

If someone has physical access and they really want something from the machine, all they need is a screwdriver. Drop a side panel, remove the hard drive, replace the side panel, leave the room. Physical access basically means no security, but this hint still makes it very very easy for someone to do damage in 30 seconds that would otherwise require a few minutes at least.

-rob.

OS 9 boot CD
Authored by: lolopb on Dec 02, '02 01:02:51PM

Open Firmware Password, no physical access to the computer...

You can do something for this, but if you leave your computer with no sudo password, just open directly your session as root, it's quite quicker, you won't have to write sudo ;-)

Only paranoids will survive...

OS 9 boot CD
Authored by: bbum on Dec 03, '02 12:42:58AM

Umm... wrong.

There is a huge difference between booting from a CD and modifying your user environment such that any application can execute code with superuser privileges. In the first case, it takes a long time to boot from a CD and screw with the machine.

In the latter-- in the case of opening up sudo to allow any command without a password-- you are opening up your environment such that any app can do whatever the hell it wants without requiring a password. This means that a simple applescript could 'do shell script "sudo bad thing" and you wouldn't even see a mysterious Password: prompt in a terminal window-- enough to arouse suspicion.

You are absolutely correct that it is basically impossible to secure a machine to which an attacker has physical access, but that doesn't mean you should just give up hope, throw away all locks&keys, and open every door/gateway/window to the kingdom.

enable super user
Authored by: ahansen on Dec 02, '02 05:29:40PM

A better way might be to enable Root User in the NetInfo Manager.

Open NetInfo Manager, go to the Security menu and select "Authenticate". After authenticating go back to the Security menu and select "Enable Root User". Now in the terminal instead of typing sudo every time, you can just type su and be logged in as root. When you are done type exit.

Sudo over su
Authored by: Accura on Dec 02, '02 09:51:41PM

This has been talked about before, i use this hint at home bcause every command typed with sudo on the start is loged, i like to know what i did and why, if you use su -m or sudo tcsh the commands are not loged after that point. I find logs handy and use them all the time

but your all right, it makes your box open for attacks, but being at the computer does that. single user mode, boot with an osx cd and change the root password, take the HD and of course os9.

This is something i like to do personally not for every thing. NEVER EVER use this hint on a server, EVER, its not a very smart thing, a desk top is not so bad but if paranoid dont do this its not worth lying awake at night

Sudo over su
Authored by: ukkarhu on Dec 03, '02 08:37:40AM

What you can do on a server is that you can permit certain users or groups to execute certain commands as root i.e. adding a user or something like that. Sudo is very useful for that and having the NOPASSWD option is good so you can give this access to certain users via a script.

Remember if you use the '%admin' hint, the 'assailant' still has to know the username and password of an 'admin' user to be able to execute commands via sudo as root and if they know an admins password, they will already be logged in and running whatever as root anyway!

Don't do this!!!!
Authored by: Glanz on Dec 03, '02 08:50:46AM

Don't do this if you ever connect to the internet, even with a 56K connection. You may end up being a relay station for every Windows worm in existence...., and I sincerely hope you have absolutely no app that even resembles a server application, no matter how small. And I REALLY hope you do not have a high speed connection. To sum it up, this is an irresponsible move., not only to yourself, but to others as well.

While you're at it...
Authored by: rev on Dec 03, '02 06:10:50PM

... open your power supply (while still plugged in), pee on it.

This 'hint' is very bad advice to follow.

sudo -s
Authored by: jpkelly on Dec 04, '02 02:09:14AM

I type "sudo -s" enter my password and I am free to screw up my computer any way I want as a super user.
Nevermind letting someone else do it.

why even post this?
Authored by: signal15 on Dec 06, '02 03:17:37PM

Why would you even bother posting this hint? Users sacrifice security for convenience all the time, and some things, like this particular hint take it too far. The nice thing about OSX and other Unixes are their security model, where a regular does *not* have full access to the system without manually sudo'ing or su'ing to root and typing a password. By making a user have full access, you've basically turned the system into a windows 98 machine with virtually no local security policies at all, leaving worms/trojans/viruses free to do whatever they want to your system, and making it way easier for an attacker to do bad things.

Ask any unix admin about this hint, if you tell them you've done it, they will likely kick you in the shin.

why even post this?
Authored by: sardu_mac on Jan 17, '03 02:53:41PM

Actually, a lot of 'hardcore UNIX admins' have this enabled for their personal account. As long as you have a good password, don't do silly things like run system daemons as the same UID, use system accounts for apache authentication and such, there's no harm in this. Don't enable it for other accounts or users who aren't UNIX-savvy as they may have weak passwords or use services that allow cleartext password transfers.

very unsafe
Authored by: hayne on Mar 04, '05 03:51:52PM

If any of those "hardcore Unix admins" have done this, I hope they only run command-line programs or GUI apps that they themselves have written and so can have complete trust in.

As others have explained (e.g. 'bbum' above), the problem is that any program running under your account can (with this "hint") get full control of the machine. And a sufficiently clever piece of malware can do this without leaving any noticeable trace - so you might never know that your machine has been taken over.

I strongly recommend against implementing this hint.

[ Reply to This | # ]

...
Authored by: Ezekiel on Dec 06, '02 10:25:32PM

What\'s the complaint? If people want root access without writing their password every time, they are allowed to. The difference between them doing it by activating the root account, being smart and just \"sudo su\" whenever lots of root access needed commands are being performed, or using this hint with their regular account/admin account is fleeting. Someone says \"why not pee at your power supply while you\'re at it\" while another argues \"...you\'ve basically turned the system into a windows 98 machine with virtually no local security policies at all, leaving worms/trojans/viruses free to do whatever they want to your system\". Bogus. How can you claim that? The user still needs to log in, remember? What it does is give the accounts that can sudo withot password effective root status. Which of course is a serious security setback if on a server or something, but obviously not any more of a risk than having an activated root account which the user logs in as.

Personally I won\'t ever use this hint, but not because of security (well that too, I\'m running an ftp server), but rather because I find it utterly useless. Using one or a few commands that need root access having to type sudo first isn\'t a big deal, more like a 1/2-second deal... and whenever lots of work is needed with root access, there\'s the sudo su or sudo -s.

...
Authored by: Elektron on Dec 14, '02 06:20:24AM

Windows security idea: The user is the "admin".
Unix security idea: The program has root.

Because really, you don't do anything. You rely on a bunch of programs that do things, and hope that none of them is a trojan.

And then, say, one of those small apps you downloaded from VersionTracker (or whatever) realizes it doesn't need a password to sudo. So?

execl("/usr/bin/sudo","sudo","rm","-Rf","/");

(I'll assume everyone here is smart enough not to do that)

If you want root without typing lots of passes, su. Or you can sudo tcsh. But never give every other program you run the ability to do anything, too.

On another note, my Apps folder is 'chmod 1775'ed and the apps themselves are 'chmod -R 755'ed and 'chown -R root'ed. So I can add apps to the folder, but I can't edit the apps. Any new apps are chmod'd and chown'd. I'd copy them as root in the first place, if cp did resource forks and stuff correctly.

But then again, I'm paranoid =-)

...
Authored by: chabig on Dec 14, '02 10:42:06AM

My Applications folder is read-only for all user accounts. Yet they can still run apps. So you might be able to chmod 744 your apps if you're really paranoid.

Chris

Thanks, I think
Authored by: shayster01 on Jan 17, '03 12:04:03PM

I don't know if I am going to do the right thing but I am goingg to use the sudo because I lost my admin password and screwed up my hostconfig file trying to make my cd mount correctly. So all I get is the UNIX interface. I am assuming if I use the sudo command it will give me access to delete or modify the hostconfig file and I should be ok. Unless someone has a better idea??

Help
Authored by: shayster01 on Jan 17, '03 12:13:10PM

Here's what I did:

I changed the hostconfig file as reccomended by apple because it wasn't mounting my cd's in OSX. I must have done something wrong because now it will no start up I just get the the terminal screen. I tried to delete the hostconfig file but it will not give me access because I forgot the admin password (it's not my computer!!). Does anybody have a solution for either resetting the admin password or is deleting the hostconfig the only option?

shayster01@yahoo.com

Thanks!

Help
Authored by: sardu_mac on Jan 17, '03 02:56:45PM

What changes did you make to the hostconfig? (can you reference the Apple URL that recommended this?)

If you're trying to type the admin password in response to the 'sudo' command, it's asking for your password not the admin password.

Help
Authored by: sardu_mac on Jan 17, '03 03:04:44PM

If you still have access to a user account that's in the admin group, try this: sudo -s (enter YOUR password) cp /etc/hostconfig /etc/hostconfig.bak cat << DONE > /etc/hostconfig HOSTNAME=-AUTOMATIC- ROUTER=-AUTOMATIC- AUTOMOUNT=-YES- DONE sync shutdown -r now

Hint Options

Search

From our Sponsor...

Latest Lion Hints

User Functions

What's New:

Hints

Comments last 2 days

Links last 2 weeks

What's New in the Forums?

Hints by Topic

News from Macworld

From Our Sponsors