💡

sudoをパスワードなしで実行したい【WSL2 Ubuntu18.04】

2021/03/14に公開

目的

一般ユーザでsudoを使うたびにパスワード認証を求められるのが面倒なので、パスワードなしで使えるようにした。

動作環境

OS: Ubuntu 18.04 (WSL2)

手順

現状の設定を確認する

sudoを使えるユーザの情報は、/etc/sudoers# User privilege specification以下に記載されている様子。

$ sudo cat /etc/sudoers
[sudo] siesta825 のパスワード:
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d



sudoersマニュアルを確認する

パスワードについて、マニュアル(man sudoers)で確認すると、

  • sudoは、デフォルトではコマンド実行前にユーザー認証することを要求する。この動作はNOPASSWDタグを介して変更可能。
  • 以下の記載をした場合、フルタイムのシステム管理者(millert、mikef、dowdy)は、自分自身を認証せずに、任意のホストで任意のコマンドを実行できます。
    FULLTIMERS      ALL = NOPASSWD: ALL
    
    Full time sysadmins (millert, mikef, and dowdy) may run any command on any host without authenticating them‐selves.
    

とのこと。

sudoersマニュアル(User specification)
   User specification
     User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
                   (':' Host_List '=' Cmnd_Spec_List)*

     Cmnd_Spec_List ::= Cmnd_Spec |
                        Cmnd_Spec ',' Cmnd_Spec_List

     Cmnd_Spec ::= Runas_Spec? Option_Spec* Tag_Spec* Cmnd

     Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'

     Option_Spec ::= (SELinux_Spec | Date_Spec | Timeout_Spec)

     SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')

     Date_Spec ::= ('NOTBEFORE=timestamp' | 'NOTAFTER=timestamp')

     Timeout_Spec ::= 'TIMEOUT=timeout'

     Tag_Spec ::= ('EXEC:' | 'NOEXEC:' | 'FOLLOW:' | 'NOFOLLOW' |
                   'LOG_INPUT:' | 'NOLOG_INPUT:' | 'LOG_OUTPUT:' |
                   'NOLOG_OUTPUT:' | 'MAIL:' | 'NOMAIL:' | 'PASSWD:' |
                   'NOPASSWD:' | 'SETENV:' | 'NOSETENV:')
     The User specification is the part that actually determines who may run what.
      A user specification determines which commands a user may run (and as what user) on specified hosts.  By
     default, commands are run as root, but this can be changed on a per-command basis.

     The basic structure of a user specification is “who where = (as_whom) what”.  Let's break that down into its
     constituent 
.
.
.
     PASSWD and NOPASSWD

       By default, sudo requires that a user authenticate him or herself before running a command.  This behavior can
       be modified via the NOPASSWD tag.  Like a Runas_Spec, the NOPASSWD tag sets a default for the commands that
       follow it in the Cmnd_Spec_List.  Conversely, the PASSWD tag can be used to reverse things.  For example:

       ray     rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm

       would allow the user ray to run /bin/kill, /bin/ls, and /usr/bin/lprm as root on the machine rushmore without
       authenticating himself.  If we only want ray to be able to run /bin/kill without a password the entry would
       be:

       ray     rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm

       Note, however, that the PASSWD tag has no effect on users who are in the group specified by the exempt_group
       option.

       By default, if the NOPASSWD tag is applied to any of the entries for a user on the current host, he or she
       will be able to run “sudo -l” without a password.  Additionally, a user may only run “sudo -v” without a pass‐
       word if the NOPASSWD tag is present for all a user's entries that pertain to the current host.  This behavior
       may be overridden via the verifypw and listpw options.



/etc/sudoersを編集する

編集するには、sudo visudoという特別なコマンドを使用することができます。

$ sudo visudo
[sudo] siesta825 のパスワード:
.
.
# User privilege specification に現在のユーザ情報を追記する
root         ALL=(ALL:ALL) ALL
siesta825    ALL=(ALL:ALL) NOPASSWD:   ALL



保存してsudoしてみよう。

$ sudo ls
anaconda3  data  example  memo  project

パスワードが要求されなくなりました!!

Discussion