💡
sudoをパスワードなしで実行したい【WSL2 Ubuntu18.04】
目的
一般ユーザでsudoを使うたびにパスワード認証を求められるのが面倒なので、パスワードなしで使えるようにした。
動作環境
OS: Ubuntu 18.04 (WSL2)
手順
現状の設定を確認する
sudoを使えるユーザの情報は、/etc/sudoers
の# User privilege specification
以下に記載されている様子。
$ sudo cat /etc/sudoers
[sudo] siesta825 のパスワード:
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d
sudoersマニュアルを確認する
パスワードについて、マニュアル(man sudoers
)で確認すると、
- sudoは、デフォルトではコマンド実行前にユーザー認証することを要求する。この動作はNOPASSWDタグを介して変更可能。
- 以下の記載をした場合、フルタイムのシステム管理者(millert、mikef、dowdy)は、自分自身を認証せずに、任意のホストで任意のコマンドを実行できます。
FULLTIMERS ALL = NOPASSWD: ALL Full time sysadmins (millert, mikef, and dowdy) may run any command on any host without authenticating them‐selves.
とのこと。
sudoersマニュアル(User specification)
User specification
User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
(':' Host_List '=' Cmnd_Spec_List)*
Cmnd_Spec_List ::= Cmnd_Spec |
Cmnd_Spec ',' Cmnd_Spec_List
Cmnd_Spec ::= Runas_Spec? Option_Spec* Tag_Spec* Cmnd
Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
Option_Spec ::= (SELinux_Spec | Date_Spec | Timeout_Spec)
SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
Date_Spec ::= ('NOTBEFORE=timestamp' | 'NOTAFTER=timestamp')
Timeout_Spec ::= 'TIMEOUT=timeout'
Tag_Spec ::= ('EXEC:' | 'NOEXEC:' | 'FOLLOW:' | 'NOFOLLOW' |
'LOG_INPUT:' | 'NOLOG_INPUT:' | 'LOG_OUTPUT:' |
'NOLOG_OUTPUT:' | 'MAIL:' | 'NOMAIL:' | 'PASSWD:' |
'NOPASSWD:' | 'SETENV:' | 'NOSETENV:')
The User specification is the part that actually determines who may run what.
A user specification determines which commands a user may run (and as what user) on specified hosts. By
default, commands are run as root, but this can be changed on a per-command basis.
The basic structure of a user specification is “who where = (as_whom) what”. Let's break that down into its
constituent
.
.
.
PASSWD and NOPASSWD
By default, sudo requires that a user authenticate him or herself before running a command. This behavior can
be modified via the NOPASSWD tag. Like a Runas_Spec, the NOPASSWD tag sets a default for the commands that
follow it in the Cmnd_Spec_List. Conversely, the PASSWD tag can be used to reverse things. For example:
ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
would allow the user ray to run /bin/kill, /bin/ls, and /usr/bin/lprm as root on the machine rushmore without
authenticating himself. If we only want ray to be able to run /bin/kill without a password the entry would
be:
ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
Note, however, that the PASSWD tag has no effect on users who are in the group specified by the exempt_group
option.
By default, if the NOPASSWD tag is applied to any of the entries for a user on the current host, he or she
will be able to run “sudo -l” without a password. Additionally, a user may only run “sudo -v” without a pass‐
word if the NOPASSWD tag is present for all a user's entries that pertain to the current host. This behavior
may be overridden via the verifypw and listpw options.
/etc/sudoers
を編集する
編集するには、sudo visudo
という特別なコマンドを使用することができます。
$ sudo visudo
[sudo] siesta825 のパスワード:
.
.
# User privilege specification に現在のユーザ情報を追記する
root ALL=(ALL:ALL) ALL
siesta825 ALL=(ALL:ALL) NOPASSWD: ALL
保存してsudo
してみよう。
$ sudo ls
anaconda3 data example memo project
パスワードが要求されなくなりました!!
Discussion