40

When I run sudo as a normal unprivileged user, it asks for my password, not the root password. That's often convenient, but it reduces the amount of information someone would have to have in order to run commands as root. So how can I make sudo ask for the root password instead of the invoking user's password?

I know it'd be done with a line in /etc/sudoers, but I can never seem to properly parse the BNF grammar in the man page to figure out exactly what to write.

David Z
  • 6,596
  • 2
  • 44
  • 50
  • I recommend you restrict the commands that are permissible as the non-root user so that you need not worry about exposing arbitrary commands. – Slartibartfast Jul 09 '10 at 05:02
  • 1
    @slartibartfast: but then what happens when I need to run a command as root that is not in the preapproved list? – David Z Jul 09 '10 at 05:46

6 Answers6

40

Ok, here it is again so you can set the checkmark.

In /etc/sudoers, add this line:

Defaults rootpw

to turn on the rootpw flag, making sudo ask for the root password.

Josh Hunt
  • 21,185
  • 20
  • 84
  • 123
Florian Diesch
  • 3,780
  • 1
  • 19
  • 16
  • 16
    You should always use the `visudo` command instead of manually editing the `/etc/sudoers` file. `visudo` validates the file to make sure it's correct before saving, so you don't get locked out of sudo if you make a syntax error... http://askubuntu.com/a/81054/166411 – Colin D Bennett Nov 26 '13 at 21:22
  • This solution worked for me on MX Linux 21.3, since the MX Tweaks Option "Password for administrative tasks" only changes graphical calls to sudo (gksudo). e.g. Opening Synaptic, but not for terminal use of sudo. - This is specially problematic because I use sudo calls more than privileged graphical tools, so I can see any terminal output, and since my login password should be extremely large for people to remember when seen, writing it over and over is frustrating. – DATALOT Jun 04 '23 at 02:24
7

You need to turn the rootpw flag on.

Ignacio Vazquez-Abrams
  • 111,361
  • 10
  • 201
  • 247
6

A common configuration that requires the password of the target (not what we want):

Defaults targetpw
ALL ALL=(ALL) ALL

The second line would read out loud like: "ALL users on ALL hosts can impersonate (ALL) users when executing ALL commands." and the Defaults targetpw means that they need to know the password of the user they are impersonating to do so.

Naively changing this simple config to:

Defaults rootpw

wouldn't leave any user or group with the privilege to run commands as another user.

One working possibility would be:

Defaults rootpw
myuser ALL=(ALL) ALL

In plain English, myuser now has the ability to run ALL commands as any user on ALL hosts, so long as the root password is known.

Another working possibility would be:

Defaults rootpw
%sudousers ALL=(ALL) ALL

Any member of the sudousers group will have the ability to run ALL commands as any user on ALL hosts, so long as the root password is known. To allow myuser to run sudo commands, sudousers would need to be added to its secondary groups.

su
usermod -a -G sudousers myuser
exit

EDIT: A clarifying example about exceptions and scope:

Defaults rootpw
myuser ALL=(ALL) ALL
%sudousers ALL=(ALL) ALL
Defaults:%sudousers !rootpw

This requires myuser to know the root password, but requires any member of the sudousers group to use their own password. Note that if myuser is a member of sudousers then this behaviour overrides rootpw for them too (last matching entry overrides previous entries).

Paul Parker
  • 161
  • 1
  • 3
  • 1
    Great explanation. More detailed than the step-by-step I posted (which worked based on Ubuntu defaults). – SRDC Jun 08 '19 at 03:18
  • So if I write defaults rootpw followed immediately by myuser ALL=(ALL) ALL, the "defaults rootpw" requirement will only apply to that user and no other user? Same for the group option with %sudousers? – Blaisem Mar 29 '20 at 00:35
  • I've made a clarifying edit. – Paul Parker Mar 30 '20 at 00:21
5

I know this question is old, but it is the most concise question I've found for this use case (which is a minor percentage, true, but nonetheless legitimate and helpful in the right scenario).

After putting all the steps together from various sources - including multiple answers to this question, these steps work on Ubuntu-Gnome 16.04 LTS:

  1. Set a password for root
    • This is CRITICAL to do FIRST! (Ubuntu automatically has no password for the ROOT user due to the standard security configuration.
    • If you do not do this first, you will lock yourself out from accessing root privileges. This can be overcome by booting in with a Live Disk, mounting the hard drive, and editing the sudoers file, but it's best to avoid that.
    • Open a terminal and enter: sudo passwd
    • Set your new password for the ROOT user.
  2. Change the SUDO configuration to require the root password
    • SUDO requires the user requesting root privileges
    • Setting the "rootpw" flag instead tells SUDO to require the password for the root user.
    • Open a terminal and enter: sudo visudo
    • This will open the "/etc/sudoers" file
    • After the other "Defaults" line, add: Defaults rootpw
    • Save it (assuming you are in nano, which is the default, this is CTRL+O)
    • Close the file (CTRL+X) & exit the terminal
  3. You're done!

Just a quick note - I also wanted to make sure that the root user couldn't be used to login from the graphical login, and so was looking into ways to excluded. Apparently, the root user is excluded by default, and cannot be used to login through the Gnome graphical login - which is a very good thing!

SRDC
  • 168
  • 1
  • 4
  • Could you suggest improvements to reverse a downvote? – SRDC Nov 09 '16 at 16:05
  • Doesn't seem to be wrong. – Ruslan Mar 08 '17 at 13:30
  • 1
    Possibly because a simple (and working) config of: `root ALL=(ALL) ALL Defaults targetpw ALL ALL=(ALL) ALL` Allows root sudo for every user that knows the root password. Naively changing the last two lines to your solution `Defaults rootpw` causes a lockout from `sudo`. You also need to add your user to `sudoers` like so: `myusername ALL=(ALL) ALL` or give similar privileges to a group and then add `myusername` to that group. – Paul Parker Apr 05 '19 at 04:12
0

You could just turn off sudo and use su -c.

Nitrodist
  • 1,608
  • 2
  • 13
  • 25
  • Inconvenient because I have to enter my password every time I run it. The use case here is having to run multiple commands as root in quick succession. – David Z Jul 09 '10 at 05:45
-1

Using

sudo su

will let you run as many commands as you want in succession.

  • 2
    Good idea, but unless I change `sudo` to prompt for the root password, this would still allow someone to gain root access by presenting only one password (not root's). So it doesn't really address the security concern that prompted my question. – David Z Jul 09 '10 at 20:14
  • Instead of using sudo's capacity to limit access by user you are exposing your root password to a number of users. You are also removing the capability of securing your server by removing the password from root. – BillThor Jul 10 '10 at 02:53