sudo asks for password, although NOPASSWD is set in /etc/sudoers

Written by - 0 comments

Published on October 30th 2015 - Listed in Linux


On an Ubuntu 14.04 I tried to change to another user with the sudo command, but sudo asked me for a password:

claudio@ubuntu:~$ sudo -u ansible /bin/bash
[sudo] password for claudio:

Strange... I explicitely defined in /etc/sudoers that my user is able to launch commands as ansible without having to enter a password:

claudio ALL=(ansible) NOPASSWD:/bin/bash

On my research I came across a question on stackexchange. Although it was directed to an OSX system, the issue was the same.
Turns out, my user "claudio" is part of the "sudo" group:

claudio@ubuntu:~$ grep claudio /etc/group
sudo:x:27:claudio,otheruser,andanotherone

In /etc/sudoers there is already a pre-configured rule (at least in Ubuntu) which is set for the sudo group:

root@ubuntu:~# grep ^%sudo /etc/sudoers
%sudo  ALL=(ALL:ALL) ALL

And here there is no mention of NOPASSWD. The group entry in sudoers seems to override the user entry.
On this particular server I don't make use of the "sudo" group, so I disabled this entry in /etc/sudoers. And now it works:

claudio@ubuntu:~$ sudo -u ansible /bin/bash
ansible@ubuntu:~$

Side note:

When I launched the ansible-playbooks after having changed to the ansible user with the sudo command above, I experienced problems that my real user "claudio" was used. This is because some environment variables are still set to my own user if I use "sudo -u $user /bin/bash".

ansible@ubuntu:/srv/ansible$ ansible-playbook playbooks/test/testplay.yaml

PLAY [ANSIBLE - Test Playbook v.0.1] *******************************

GATHERING FACTS ***************************************************************
fatal: [ansibleclient.local] => Could not make dir /home/claudio/.ansible/cp: [Errno 13] Permission denied: '/home/claudio/.ansible'

To prevent this problem, a real login as the destination user should be made like this:

claudio@ubuntu:~$ sudo -i -u ansible

The relevant sudoers entry was adapted a little bit:

claudio  ALL=(ansible) NOPASSWD: ALL


Add a comment

Show form to leave a comment

Comments (newest first)

No comments yet.