While following the Linux Upskill challenge, I came across some unexpected behaviour: issuing sudo <command> didn’t prompt me for a password. No problem I thought; I simply need to set a password for my account. While I’m thinking of it, let’s update the password for root too, after all our ec2 instance isn’t using a firewall yet.

su - root
passwd root
passwd ubuntu
exit

Passwords duly set, the password wasn’t prompted:

huh? Why am I not being asked for a password?

Let’s check I’m in the sudo group:

groups looks OK

So there must be some config that means I’m not prompted for a password. Let’s look at the etc/sudoers file:

cat /etc/sudoers

There’s nothing in there that is obviously preventing the password prompt. This question on Stack Overflow suggests that the problem may be a file in /etc/sudoers.d. Let’s look for all instance of NOPASSWD

grep -rl NOPASSWD /etc/sudoers.d

Output

/etc/sudoers.d/90-cloud-init-users

Let’s look at the file (note the lazy history expansion):

more $(!!)

Output

# User rules for ubuntu
ubuntu ALL=(ALL) NOPASSWD:ALL

This line means I’ll never be prompted for a password. Let’s fix that by commenting it out.

su - root
vi /etc/sudoers.d/90-cloud-init-users

wait, it's not writeable?

Oh! The file isn’t writeable. I could use visudo to edit it, but that is defaulting to use nano. Ugh, no thanks.

Instead, let’s check, and fix the file permissions

ls -l /etc/sudoers.d/90-cloud-init-users

what permissions does the file have?

It’s owned by root, but root cannot write to it. Let’s temporarily make the file writeable:

chmod 640 /etc/sudoers.d/90-cloud-init-users

Now we can edit it, and return the permissions

editing once the permissions are changed

vi /etc/sudoers.d/90-cloud-init-users
chmod 440 /etc/sudoers.d/90-cloud-init-users
exit # exit the root acct, we don't need it any more

and test that we are being prompted for the password correctly:

sudo apt update

hooray! we're asked for a password