Sudoers NOPASSWD for single executable but allowing others

man 5 sudoers says ("Sudoers File Format" section):

When multiple entries match for a user, they are applied in order. Where there are multiple matches, the last match is used (which is not necessarily the most specific match).

So you should have these lines exactly in this order:

username ALL=(ALL) ALL
username ALL=(ALL) NOPASSWD: /home/username/script.sh

and any line that also matches (like e.g. %sudo ALL=(ALL:ALL) ALL) should be before the NOPASSWD line.

General note: #include and #includedir allow sudoers to include other files. Don't let # fool you, these are not comments. While searching for entries that may interfere, you shouldn't omit what #include and #includedir point to. Helpful option: sudo -l.


You will often find a line like this in /etc/sudoers:

# Allow members of group sudo to execute any command
%wheel   ALL=(ALL:ALL) ALL

This will allow any user that is in the "wheel" group to make use of sudo with suitable proof of identity (e.g: their password). The nominated group may also be "sudo", "admin", or others... (e.g: line starts with %sudo)

If this is present in the file, then run id to see what groups you're in:

$ id
uid=1000(attie) gid=1000(attie) groups=1000(attie),27(sudo),117(docker)

If your user isn't in the appropriate group, then you must add your user to that group.


An alternative would be to list both of your rules one-by-one, with the last matching rule taking effect (i.e: order is important):

username ALL=(ALL) ALL
username ALL=(ALL) NOPASSWD: /home/username/script.sh

See the ArchWiki page on sudo: https://wiki.archlinux.org/index.php/sudo#Example_entries