How to Combine NOPASSWD and SETENV Tags in Sudoers File for Environment Preservation


4 views 
# Understanding Sudoers Tag Combinations

When configuring sudo privileges, you often need to combine multiple tags like NOPASSWD and SETENV. Here's the proper syntax and some practical examples.



Contrary to some documentation, sudo actually supports multiple tags per line using comma separation:

username  ALL = (target_user) NOPASSWD:SETENV: /path/to/command

OR alternatively:

username  ALL = (target_user) NOPASSWD,SETENV: /path/to/command

Both forms are valid and achieve the same result.



1. Basic combined tags example:
jenkins  ALL = (app_user) NOPASSWD:SETENV: /usr/bin/deploy_script.sh

2. With command arguments:
%developers  ALL = (root) NOPASSWD,SETENV: /usr/bin/env *, /usr/bin/restart_service

3. For specific environment variables:
db_admin  DB_SERVERS = (postgres) SETENV:NOPASSWD: /opt/scripts/db_maintenance.sh



- Order doesn't matter between NOPASSWD and SETENV
- The colon after the last tag is mandatory
- Always test with sudo -v after changes
- Consider security implications of combining these tags



If your tags aren't working as expected:

1. Verify sudo version supports tag combinations:
sudo -V | grep "Sudo version"

2. Check for syntax errors:
visudo -c

3. Test environment preservation:
sudo -E printenv

Remember that SETENV alone doesn't preserve all variables - you'll still need to use the -E flag when executing sudo commands.






The sudoers file allows administrators to specify fine-grained permissions using various tag specifications. Two commonly used tags are:


NOPASSWD: Allows command execution without password prompt
SETENV: Preserves environment variables during command execution



To use both NOPASSWD and SETENV for the same command specification, simply list them sequentially separated by commas:


username ALL = (root) NOPASSWD: SETENV: /path/to/command



This syntax works because sudo processes these tags as independent modifiers that can be combined. The order doesn't matter - you could also write:


username ALL = (root) SETENV: NOPASSWD: /path/to/command



Here's a real-world example that allows a deployment user to run a script with environment variables while avoiding password prompts:


deploy_user ALL = (app_user) NOPASSWD: SETENV: /usr/local/bin/deploy.sh



When combining these tags:


    

  • Ensure you're editing the sudoers file using visudo for proper syntax checking
    • 

  • Test the configuration thoroughly as environment preservation can have security implications
    • 

  • Consider limiting the commands that can be run with these privileges
    • 



You can combine more than two tags if needed. For example, to add logging:


admin ALL = (root) NOPASSWD: SETENV: LOG_OUTPUT: /usr/sbin/service



Remember that each tag applies to all commands that follow it until another tag changes the behavior.