How to Configure Sudoers File for Passwordless Command Execution as Another User in Ubuntu


8 views

The sudoers file requires specific syntax to allow one user to execute commands as another user without password prompts. For your case where user 'ludo' needs to run commands as 'django', add this line to /etc/sudoers:

ludo ALL=(django) NOPASSWD: ALL

After saving the sudoers file, test the configuration with:

sudo -u django whoami

This should return 'django' without prompting for a password.

For more granular control, you can specify particular commands instead of using ALL:

ludo ALL=(django) NOPASSWD: /usr/bin/python, /usr/bin/django-admin

Always use visudo to edit the sudoers file as it validates syntax before saving:

sudo visudo

If you encounter syntax errors, check:

  1. Spaces around the equals sign in (django)
  2. Correct placement of NOPASSWD directive
  3. Proper file permissions (must be 0440)

While convenient, passwordless sudo requires careful consideration:

  • Restrict to specific commands when possible
  • Monitor sudo usage via auth.log
  • Consider using command aliases for complex scenarios

When managing a Linux server, you might need to grant a user the ability to execute commands as another user without password prompts. This is particularly useful for automation scripts or when delegating administrative tasks. In this case, we want user 'ludo' to run any command as 'django' user.

The correct syntax in the sudoers file (typically located at /etc/sudoers) would be:

ludo ALL=(django) NOPASSWD: ALL

This line means:

  • ludo: The user being granted privileges
  • ALL: Applies to all hosts
  • (django): The target user to run commands as
  • NOPASSWD: No password required
  • ALL: Can run any command

Always use visudo to edit the sudoers file, as it performs syntax checking:

sudo visudo

Add the line at the end of the file, then save and exit (:wq in vim). visudo will verify the syntax before saving.

After saving, test the configuration by switching to 'ludo' user and trying:

sudo -u django whoami

Expected output should be 'django' without any password prompt.

If you need more granular control, you can specify particular commands instead of ALL:

ludo ALL=(django) NOPASSWD: /usr/bin/python3, /bin/systemctl restart django.service

This would allow 'ludo' to only run these specific commands as 'django'.

If you encounter syntax errors:

  • Verify there are no spaces around the equals sign
  • Ensure you're using tabs, not spaces, between sections
  • Check for duplicate entries

For logging purposes, you might want to add:

Defaults:ludo logfile=/var/log/sudo_ludo.log

While convenient, passwordless sudo access should be granted cautiously. Consider:

  • Implementing command restrictions where possible
  • Setting up proper logging
  • Regularly auditing sudo usage
  • Using SSH key-based authentication instead when appropriate