[sudo-users] NOPASSWD option prompts for pw if user attempts cmd not in auth list.

Roland Winson winson at us.ibm.com
Fri Feb 8 18:06:09 EST 2008

We have some Unix scripts that ssh to many servers to run some automated
tasks for us.  The nopasswd option is specified in the sudoers stanza to
allow these programs to run unattended, but occasionally the Server Admin
makes an error in setting up the sudoers file.  The effect is that if the
command is not in the sudo stanza (missing or misspelled) sudo prompts for
a pw (hanging the program).    It would save alot of troubleshooting time
if sudo could simply error and say that I am not authorized when the stanza
says NOPASSWD and the command is not resolved in the sudoers stanza, rather
than requiring me to enter a password to be told I am not authorized.

I can create the same condition from running this from a Unix shell.  Here
is an example demonstrating this issue:

# As you see this xxx id can sudo the cat cmd:
$ sudo -l
User xxx may run the following commands on this host:
    (root) NOPASSWD: /usr/bin/cat

#I show that it works as intended without pw prompt:
$ sudo cat temp.txt
Hello World

# But if I run a command that is not in the sudoers stanza I get a pw
prompt instead of an immediate "... not allowed..." message.
$ sudo faillog
Sorry, user xxx is not allowed to execute '/usr/bin/faillog' as root on

# sudo version in this example:
$ sudo -V
Sudo version 1.6.7p5

Again, it would be great if sudo respected the "NOPASSWD" option, and just
errored with the msg "... not allowed...".
Any solution in the works, or recommendations?

Roland Winson
Unix Admin

More information about the sudo-users mailing list