While following the Linux Upskill challenge, I came across some unexpected behaviour: issuing
sudo <command> didn’t prompt me for a password. No problem I thought; I simply need to set a password for my account. While I’m thinking of it, let’s update the password for root too, after all our ec2 instance isn’t using a firewall yet.
su - root passwd root passwd ubuntu exit
Passwords duly set, the password wasn’t prompted:
Let’s check I’m in the
So there must be some config that means I’m not prompted for a password. Let’s look at the
There’s nothing in there that is obviously preventing the password prompt. This question on Stack Overflow suggests that the problem may be a file in
/etc/sudoers.d. Let’s look for all instance of
grep -rl NOPASSWD /etc/sudoers.d
Let’s look at the file (note the lazy history expansion):
# User rules for ubuntu ubuntu ALL=(ALL) NOPASSWD:ALL
This line means I’ll never be prompted for a password. Let’s fix that by commenting it out.
su - root vi /etc/sudoers.d/90-cloud-init-users
Oh! The file isn’t writeable. I could use
visudo to edit it, but that is defaulting to use
nano. Ugh, no thanks.
Instead, let’s check, and fix the file permissions
ls -l /etc/sudoers.d/90-cloud-init-users
It’s owned by root, but root cannot write to it. Let’s temporarily make the file writeable:
chmod 640 /etc/sudoers.d/90-cloud-init-users
Now we can edit it, and return the permissions
vi /etc/sudoers.d/90-cloud-init-users chmod 440 /etc/sudoers.d/90-cloud-init-users exit # exit the root acct, we don't need it any more
and test that we are being prompted for the password correctly:
sudo apt update