Sudoers NOPASSWD for single executable but allowing others
man 5 sudoers
says ("Sudoers File Format" section):
When multiple entries match for a user, they are applied in order. Where there are multiple matches, the last match is used (which is not necessarily the most specific match).
So you should have these lines exactly in this order:
username ALL=(ALL) ALL
username ALL=(ALL) NOPASSWD: /home/username/script.sh
and any line that also matches (like e.g. %sudo ALL=(ALL:ALL) ALL
) should be before the NOPASSWD
line.
General note: #include
and #includedir
allow sudoers
to include other files. Don't let #
fool you, these are not comments. While searching for entries that may interfere, you shouldn't omit what #include
and #includedir
point to. Helpful option: sudo -l
.
You will often find a line like this in /etc/sudoers
:
# Allow members of group sudo to execute any command
%wheel ALL=(ALL:ALL) ALL
This will allow any user that is in the "wheel" group to make use of sudo
with suitable proof of identity (e.g: their password). The nominated group may also be "sudo", "admin", or others... (e.g: line starts with %sudo
)
If this is present in the file, then run id
to see what groups you're in:
$ id
uid=1000(attie) gid=1000(attie) groups=1000(attie),27(sudo),117(docker)
If your user isn't in the appropriate group, then you must add your user to that group.
An alternative would be to list both of your rules one-by-one, with the last matching rule taking effect (i.e: order is important):
username ALL=(ALL) ALL
username ALL=(ALL) NOPASSWD: /home/username/script.sh
See the ArchWiki page on sudo: https://wiki.archlinux.org/index.php/sudo#Example_entries