How secure is NOPASSWD in passwordless sudo mode?

NOPASSWD doesn't have a major impact on security. Its most obvious effect is to provide protection when the user left his workstation unattended: an attacker with physical access to his workstation can then extract data, perform actions and plant malware with the user's permissions, but not elevate his access to root. This protection is of limited use because the attacker can plant a keylogger-type program that records the user's password the next time he enters it at a sudo prompt or in a screensaver.

Nonetheless, requiring the password does raise the bar for the attacker. In many cases, protection against unsophisticated attackers is useful, particularly in unattended-workstation scenarios where the attack is often one of opportunity and the attacker may not know how to find and configure discreet malware at short notice. Furthermore it is harder to hide malware when you don't have root permissions — you can't hide from root if you don't have root.

There are some realistic scenarios where the lack of a password does protect even against sophisticated attackers. For example, a stolen laptop: the user's laptop is stolen, complete with private SSH keys; either the thief manages to guess the password for the key file (perhaps by brute force), or he gains access to them from a memory dump of a key agent. If the theft is detected, this is a signal to investigate recent activity on that user's account, and this means that a planted malware should be detected. If the attacker only had user-level access, anything he did will leave traces in logs; if the attacker obtained the user's password and ran sudo, all logs are now compromised.

I don't know whether the downsides of NOPASSWD balance the upsides for your use case. You need to balance that against all the other factors of your situation. For example, it seems that you allow but don't enforce having different passwords. Can you instead use a centralized account database? How much containment do you need between your systems? Are you considering alternatives to Ansible that would support differing sudo passwords? Have you considered other authentication mechanisms?


There are two specific cases why you don't want passwordless sudo:

  1. This is a defense mechanism against malicious users who gain access to an administrative account. This can either be through exploitation or due to an admin leaving his workstation unattended without locking his session.
  2. Having to re-issue the password when using sudo gives impulsive users the time to think twice before actually performing the action.

About automation:

I agree you can do this passwordless, but by not requiring the sudo password you are actually giving ALL access to your automation tool. Now think what the tool is actually required to do? Does it really need all these accesses? Probably not.

Sudo comes with a nice feature which allows you to configure specific commands with the NOPASSWD flag within the sudoers file:

username myhost = (root) NOPASSWD: /sbin/shutdown
username myhost = (root) NOPASSWD: /sbin/reboot

One thing it doesn't look like anyone's pointed out for some reason (correct me if I'm wrong) is that it enables any program you run to elevate to root access without you knowing. Normally, if you accidentally run a malicious program or script as a non-root user without sudo, then while it may still be able to do a lot of damage, it still (barring a separate exploit) won't have root privileges. So you at least won't need to worry about a rootkit or anything. But with NOPASSWD mode, you don't have that protection. Any program that runs under your user will be able to escalate to root by re-invoking itself with sudo. The malware still needs to specifically be programmed to do this, and it won't have root access otherwise, but then what about malicious code that does do that?