Add a sudoer non-interactively from command line

Question

(On Centos through Docker)

I know that I can add a sudoer using visudo. Is there a way to add a user to the sudoer list straight from the command line, so I don't have to do it interactively?

I'm asking because I'm trying to provision my Docker centos container which doesn't play with interactivity.

score 19 · Answer 1 · answered Nov 16 '16 at 20:10

19

I had a similar issue trying to get my docker container to allow jenkins scripts to use sudo commands without prompting for a password.

This was solved via the Dockerfile:

RUN echo "jenkins ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers

answered Nov 16 '16 at 20:10

TemporalWolf

251
2
7

score 3 · Accepted Answer · answered Jun 16 '14 at 17:29

3

You could use cat to append text to the end of /etc/sudoers. First, make a backup copy of your /etc/sudoers file. Then:

cat >> /etc/sudoers
...type one or more lines here...
[control-D]

Make absolutely sure to use two greater-than characters (>>) and not just one, or else you will overwrite the entire contents of your file.

answered Jun 16 '14 at 17:29

mhucka

242
1
11

5

how is this "non-interactively"? and why is this answer accepted? – Alexander Mills Dec 20 '16 at 09:31
1

The OP asked for a way to do it from the command line, without using an editor such as `visudo`. I believe they meant "interactive" in the sense of using an editor; thus, this is "non-interactive" because this approach does not require an editor. (Obviously, a person will still have to type the user names _somehow_, so there is no getting around that part.) As for why it was accepted, well, I guess it must have addressed the OP's question well enough that they were satisfied. – mhucka Dec 21 '16 at 03:17
ok, to me interactive means anything requiring live user-input. Editor or command line. Semantics I guess. thanks. – Alexander Mills Dec 21 '16 at 03:18
What you say makes sense too – the expression is ambiguous enough that people usually need to say something more to clarify their intentions. I took a guess, but could easily have been wrong. In practical terms, what I wrote above could be written into a script file (e.g., an sh script); what TemporalWolf wrote _is_ what goes into a script file. And honestly, considering that the OP's question was specifically about Docker, I think TemporalWolf's answer might actually be a better one. – mhucka Dec 21 '16 at 03:29
@AlexanderMills You're right that this is interactive, but it can easily be tweaked to become non-interactive. – Dessa Simpson Mar 05 '18 at 05:31

Seth Bergman · Answer 3 · 2019-10-01T18:08:24.637

Here's how I setup a non-root user with the base image of ubuntu:18.04:

RUN \
    groupadd -g 999 foo && useradd -u 999 -g foo -G sudo -m -s /bin/bash foo && \
    sed -i /etc/sudoers -re 's/^%sudo.*/%sudo ALL=(ALL:ALL) NOPASSWD: ALL/g' && \
    sed -i /etc/sudoers -re 's/^root.*/root ALL=(ALL:ALL) NOPASSWD: ALL/g' && \
    sed -i /etc/sudoers -re 's/^#includedir.*/## **Removed the include directive** ##"/g' && \
    echo "foo ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers && \
    echo "Customized the sudoers file for passwordless access to the foo user!" && \
    echo "foo user:";  su - foo -c id

What happens with the above code:

The user and group foo is created.
The user foo is added to the both the foo and sudo group.
The uid and gid is set to the value of 999.
The home directory is set to /home/foo.
The shell is set to /bin/bash.
The sed command does inline updates to the /etc/sudoers file to allow foo and root users passwordless access to the sudo group.
The sed command disables the #includedir directive that would allow any files in subdirectories to override these inline updates.

Jim L. · Answer 4 · 2019-10-04T22:58:45.390

A more modern method, given the age of this post, is to place a per-user file in /etc/sudoers.d/ or the appropriate similar location for whatever OS is at reference. So long as your sudoers file contains a line like:

#includedir /etc/sudoers.d

Then a script like this can be used to create a per-user sudoers file for any valid username:

#/usr/bin/env bash

SUDOERS_DIR='/etc/sudoers.d/'

if [ $# -eq 1 ]
then
    printf '%s ALL=(ALL:ALL) ALL\n' "$1" > "$SUDOERS_DIR$1" && \
        chmod 600 "$SUDOERS_DIR$1"
else
    printf 'usage: $0 (username)\n'
    printf '(username) will be given sudo privileges\n'
    exit 1
fi

With this, an unprivileged user:

/home/jim> sudo -i
Password:
jim is not in the sudoers file.  This incident will be reported.

can easily be given sudo access on a per-user basis:

/root# ./addsudo.sh 
usage: $0 (username)
(username) will be given sudo privileges
/root# ./addsudo.sh jim
/root# ls -l /etc/sudoers.d/
total 1
-rw-------  1 root  wheel  22 Oct  4 15:35 jim
/root# cat /etc/sudoers.d/jim
jim ALL=(ALL:ALL) ALL

And voila:

/home/jim> sudo -i
Password:
/root#

When the time comes to revoke the sudo privileges, simply rm the file for that user:

# rm /etc/sudoers.d/jim

BenjiWiebe · Answer 5 · 2014-06-16T17:32:38.367

2

To be able to do that, you should make sure you have the following line in your sudoers file:

%sudo   ALL=(ALL:ALL) ALL

You can customize the above line to change the permissions just as though %sudo was a user. That line will allow any users in the sudo group to use sudo.

Now to allow <username> to use sudo, you can just do usermod -a -G sudo <username> as root, which adds <username> to the sudo group.

edited Jun 16 '14 at 17:32

answered Jun 16 '14 at 17:25

BenjiWiebe

8,854
11
42
65

score 1 · Answer 6 · answered Mar 05 '18 at 03:49

A common arrangement for appending to files which require privileged access is to use tee. Its primary purpose, of course, is to write to two places, but you can discard one of them and use the side effect that sudo tee -a gives you privileged append.

So, something like

printf 'you ALL=(ALL:ALL) ALL\n' | sudo tee -a /etc/sudoers >/dev/null

I will concur with the comments to add the user to the sudoers group instead to solve this particular problem.

score 0 · Answer 7 · answered Mar 05 '18 at 01:42

At the moment of the user creation, you can specify the user someone belongs to the sudo group in this way:

useradd --groups sudo someone

If it is an already existent user, you can add it to a new group in this way:

gpasswd --add someone sudo

See this answer if you want to know why I prefer gpasswd to usermod.

score 0 · Answer 8 · answered Jun 17 '14 at 04:29

0

You could start by enabling the 'wheel' group in sudoers, and after you only need to add users to that group. Avoids convoluting the sudoers file.

answered Jun 17 '14 at 04:29

bbaassssiiee

1,393
1
11
17

Add a sudoer non-interactively from command line

8 Answers8