4

I'm trying to set my local computer (which has Linux Mint 13 Maya) so that I can chmod & chown any file with my regular max user account.

Following this page, https://askubuntu.com/questions/159007/how-do-i-run-specific-sudo-commands-without-a-password

I've done the following:

#edit the /etc/sudoers file via `visudo` 
sudo visudo

#in the file, added these lines:
Cmnd_Alias NOPASS_CMNDS = /bin/chmod, /bin/chown
max ALL=(ALL) NOPASSWD: NOPASS_CMNDS

Then saved. (I got the locations for chmod and chown using which)

So, my visudo file now looks like this:

#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults        env_reset
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL

Cmnd_Alias NOPASS_CMNDS = /bin/chmod, /bin/chown
max ALL=(ALL) NOPASSWD: NOPASS_CMNDS

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d

This is the output from sudo -l

$ sudo -l
Matching 'Defaults' entries for max on this host:
    env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User max may run the following commands on this host:
    (ALL) NOPASSWD: /bin/chmod, /bin/chown
    (ALL : ALL) ALL

I then open a new shell tab and try to sudo chmod a file which is owned by a different user & group, and it asks me for a password:

$ ls -l  tmp/0000000001
-rw------- 1 www-data www-data 19245781 Sep 10 16:59 tmp/0000000001

$ sudo chmod +w tmp/0000000001
[sudo] password for max:

Am I missing something here? I don't know if I've done it wrong or have misunderstood what I was actually trying to change.

Do I need to reboot, or reload/restart something to see the change?

Community
  • 1
Max Williams
  • 1,067
  • 2
  • 16
  • 32
  • And when you do post there, remember to add the output of `sudo -l` and the lines in `sudoers` which come after the lines you added. – muru Sep 17 '15 at 13:20
  • Did you save _and exit_ `visudo` or just save? – terdon Sep 17 '15 at 13:27
  • Save and exit (`esc` then `:wq`) – Max Williams Sep 17 '15 at 13:59
  • That's very odd. I just tried this on my LMDE (Linux Mint Debian) and it worked as expected. – terdon Sep 17 '15 at 14:22
  • I've added (to my question) the content of my `visudo` file and the output from `sudo -l` - can you see anything there which might be breaking it? – Max Williams Sep 17 '15 at 14:32
  • 1
    What's the output of `type -a chmod`? – terdon Sep 17 '15 at 14:38
  • `chmod is /bin/chmod` – Max Williams Sep 17 '15 at 14:45
  • That's really weird. Look, it really shouldn't be necessary, changes to `sudoers` take effect as soon as `visudo` is closed but you may as well reboot if possible, just to make sure there's nothing keeping `visudo` open somewhere. – terdon Sep 17 '15 at 14:46
  • What happens if you type the full path, i.e. `sudo /bin/chmod +w tmp/0000000001`? – Jenny D Sep 17 '15 at 14:50
  • @JennyD it still asks for my password. – Max Williams Sep 17 '15 at 14:53
  • 4
    Is `max` a member of the `admin` or `sudo` groups? (I think this is the case because `(ALL : ALL) ALL` appears in your `sudo -l` output). The config line for that group may be taking precedence over the NOPASSWD line. – Mark Plotnick Sep 17 '15 at 14:56
  • @MarkPlotnick When I tried adding my testuser to wheel in my test server, I got the same issue. You should post that as an answer. – Jenny D Sep 17 '15 at 15:01
  • 2
    The solution is to post the lines with NOPASSWD lower down in the config than the line granting ALL to the admin/wheel/sudo group. – Jenny D Sep 17 '15 at 15:02
  • @MarkPlotnick yes it is - `$ groups max` gives `max : max root adm cdrom sudo audio dip www-data plugdev fuse lpadmin netdev powerdev sambashare`, showing that `max` is in the `sudo` group. Would you mind doing an answer with a suggested fix? – Max Williams Sep 17 '15 at 15:03
  • @JennyD - that's fixed it, thanks! If you want to make that an answer i will mark it correct. – Max Williams Sep 17 '15 at 15:06
  • It was @MarkPlotnick that found it... although I found how to solve it, so I'll write it up :-) – Jenny D Sep 17 '15 at 15:07

1 Answers1

5

The issue here is that there are two rules for this user: 

(ALL) NOPASSWD: /bin/chmod, /bin/chown
(ALL : ALL) ALL

The second one comes from the line in sudoers reading 

%sudo   ALL=(ALL:ALL) ALL

Sudo will use the first matching rule starting from the bottom of the file - so when you need to have different options for a subset of commands, you need to make sure that they are listed below the more generic line.

In other words, you need to make sure that the line 

max ALL=(ALL) NOPASSWD: NOPASS_CMNDS

is placed after the line

%sudo   ALL=(ALL:ALL) ALL

in the file.

Jenny D
  • 13,022
  • 3
  • 38
  • 54