Why do I still need to run shutdown as sudo after this?

Question

I'm running Linux Mint 17.3.

By default, running shutdown or other commands like reboot, poweroff requires root privilege.

So I added the following line

lesaff_b ALL=(ALL) NOPASSWD: /sbin/poweroff, /sbin/reboot, /sbin/shutdown

to /etc/sudoers. I know it still requires that I run these commands as sudo but it won't ask for password, so I create an alias for each of them.

It worked fine the first time, but then it stopped working, I now need to run these commands as sudo and type my password. I know there are others ways of running these commands without sudo, but why doesn't it work whereas it should, and most importantly, why did it work one time ??

I typed "alias shutdown='sudo shutdown'" and so on for each of the command. But I deleted the aliases to see if it changes anything and it does not. — Benjamin Lesaffre, Jan 30 '16 at 01:38
do you happen to have any entries in the sudoers file *after* the given line? sudoers works its way *up* the file, so if you also have a line like "lesaff_b ALL=(ALL) ALL" (for example) that would "catch" the shutdown program, sudo will follow that later rule and dutifully prompt you. — Jeff Schaller, Jan 30 '16 at 02:27
Side note: `sudo -ll` will list how your config is interpreted. — Ulrich Schwarz, Jan 30 '16 at 08:24
Your process for adding the aliases looks correct. I trimmed my comment questions to reduce clutter. I think the reason it worked without asking for a password one time only was that your sudo credentials were cached after you used sudo to edit the /etc/sudoers file. — Mark Plotnick, Jan 30 '16 at 11:00
@JeffSchaller No this is the only line I added to sudoers. UlrichSchwarz The output properly lists shutdown, reboot and poweroff in sudoers entry. MarkPlotnick You're probably right, I didn't think about it. — Benjamin Lesaffre, Jan 30 '16 at 13:27
If Mark is right, then your nopasswd flag is not being used... — Jeff Schaller, Jan 30 '16 at 14:22
sudo -ll gives me [this output](http://image.noelshack.com/fichiers/2016/04/1454273820-screenshot-from-2016-01-31-21-53-02.png) — Benjamin Lesaffre, Jan 31 '16 at 20:58
The last paragraph of that sudo -ll output clearly shows that you have an all:all entry in there somewhere (and notice the lack of !authenticate) — Jeff Schaller, Feb 01 '16 at 00:38
See http://unix.stackexchange.com/a/13058/117549 and if you don't see the offending sudo rule, consider pasting it here for someone to review. (Edit it into your Q) — Jeff Schaller, Feb 01 '16 at 00:50
Thank you that helped me to understand the problem. So yes there are all:all entries, but these were here by default, I didn't added them, so I didn't think these lines could be the cause of the problem, moreover, I didn't have that problem when I was running Ubuntu. So I moved the line with the nopasswd flag after these lines and now it seems to work fine :) Thank you very much ! — Benjamin Lesaffre, Feb 01 '16 at 14:41

score 2 · Accepted Answer · edited Apr 13 '17 at 12:36

Given the information we learned in the comments, it appears that:

you ran some command with sudo (perhaps to edit sudoers to add the quoted NOPASSWD line in the Q)
sudo cached those credentials, allowing you to run a reboot or shutdown within timestamp_timeout (5 minutes by default, I believe)
but after the reboot (more than timestamp_timeout), you were again prompted for a password for those commands because there was a pre-existing ALL:ALL sudo rule without the NOPASSWD flag -- that you didn't add but were caught up in. Because sudo uses the last matching rule, it prompted you unexpectedly.

The solution here is to move your rule below the pre-existing ALL:ALL rule (or, if you like, add the NOPASSWD flag to the existing ALL:ALL rule).

Why do I still need to run shutdown as sudo after this?

1 Answers1