Add a sudoer non-interactively from command line

Question

(On Centos through Docker)

I know that I can add a sudoer using visudo. Is there a way to add a user to the sudoer list straight from the command line, so I don't have to do it interactively?

I'm asking because I'm trying to provision my Docker centos container which doesn't play with interactivity.

Answer 1

I had a similar issue trying to get my docker container to allow jenkins scripts to use sudo commands without prompting for a password.

This was solved via the Dockerfile:

RUN echo "jenkins ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers

Answer 2

You could use cat to append text to the end of /etc/sudoers. First, make a backup copy of your /etc/sudoers file. Then:

cat >> /etc/sudoers
...type one or more lines here...
[control-D]

Make absolutely sure to use two greater-than characters (>>) and not just one, or else you will overwrite the entire contents of your file.

Answer 3

A common arrangement for appending to files which require privileged access is to use tee. Its primary purpose, of course, is to write to two places, but you can discard one of them and use the side effect that sudo tee -a gives you privileged append.

So, something like

printf 'you ALL=(ALL:ALL) ALL\n' | sudo tee -a /etc/sudoers >/dev/null

I will concur with the comments to add the user to the sudoers group instead to solve this particular problem.

Answer 4

Here's how I setup a non-root user with the base image of ubuntu:18.04:

RUN \
    groupadd -g 999 foo && useradd -u 999 -g foo -G sudo -m -s /bin/bash foo && \
    sed -i /etc/sudoers -re 's/^%sudo.*/%sudo ALL=(ALL:ALL) NOPASSWD: ALL/g' && \
    sed -i /etc/sudoers -re 's/^root.*/root ALL=(ALL:ALL) NOPASSWD: ALL/g' && \
    sed -i /etc/sudoers -re 's/^#includedir.*/## **Removed the include directive** ##"/g' && \
    echo "foo ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers && \
    echo "Customized the sudoers file for passwordless access to the foo user!" && \
    echo "foo user:";  su - foo -c id

What happens with the above code:

• The user and group foo is created.
• The user foo is added to the both the foo and sudo group.
• The uid and gid is set to the value of 999.
• The home directory is set to /home/foo.
• The shell is set to /bin/bash.
• The sed command does inline updates to the /etc/sudoers file to allow foo and root users passwordless access to the sudo group.
• The sed command disables the #includedir directive that would allow any files in subdirectories to override these inline updates.

Answer 5

A more modern method, given the age of this post, is to place a per-user file in /etc/sudoers.d/ or the appropriate similar location for whatever OS is at reference. So long as your sudoers file contains a line like:

#includedir /etc/sudoers.d

Then a script like this can be used to create a per-user sudoers file for any valid username:

#/usr/bin/env bash

SUDOERS_DIR='/etc/sudoers.d/'

if [ $# -eq 1 ]
then
    printf '%s ALL=(ALL:ALL) ALL\n' "$1" > "$SUDOERS_DIR$1" && \
        chmod 600 "$SUDOERS_DIR$1"
else
    printf 'usage: $0 (username)\n'
    printf '(username) will be given sudo privileges\n'
    exit 1
fi

With this, an unprivileged user:

/home/jim> sudo -i
Password:
jim is not in the sudoers file.  This incident will be reported.

can easily be given sudo access on a per-user basis:

/root# ./addsudo.sh 
usage: $0 (username)
(username) will be given sudo privileges
/root# ./addsudo.sh jim
/root# ls -l /etc/sudoers.d/
total 1
-rw-------  1 root  wheel  22 Oct  4 15:35 jim
/root# cat /etc/sudoers.d/jim
jim ALL=(ALL:ALL) ALL

And voila:

/home/jim> sudo -i
Password:
/root#

When the time comes to revoke the sudo privileges, simply rm the file for that user:

# rm /etc/sudoers.d/jim

Answer 6

To be able to do that, you should make sure you have the following line in your sudoers file:

%sudo   ALL=(ALL:ALL) ALL

You can customize the above line to change the permissions just as though %sudo was a user. That line will allow any users in the sudo group to use sudo.

Now to allow <username> to use sudo, you can just do usermod -a -G sudo <username> as root, which adds <username> to the sudo group.

Answer 7

At the moment of the user creation, you can specify the user someone belongs to the sudo group in this way:

useradd --groups sudo someone

If it is an already existent user, you can add it to a new group in this way:

gpasswd --add someone sudo

See this answer if you want to know why I prefer gpasswd to usermod.

Answer 8

You could start by enabling the 'wheel' group in sudoers, and after you only need to add users to that group. Avoids convoluting the sudoers file.