When I run sudo as a normal unprivileged user, it asks for my password, not the root password. That's often convenient, but it reduces the amount of information someone would have to have in order to run commands as root. So how can I make sudo ask for the root password instead of the invoking user's password?
I know it'd be done with a line in /etc/sudoers, but I can never seem to properly parse the BNF grammar in the man page to figure out exactly what to write.
6 Answers
Ok, here it is again so you can set the checkmark.
In /etc/sudoers, add this line:
Defaults rootpwto turn on the rootpw flag, making sudo ask for the root password.
1You need to turn the rootpw flag on.
I know this question is old, but it is the most concise question I've found for this use case (which is a minor percentage, true, but nonetheless legitimate and helpful in the right scenario).
After putting all the steps together from various sources - including multiple answers to this question, these steps work on Ubuntu-Gnome 16.04 LTS:
- Set a password for root
- This is CRITICAL to do FIRST! (Ubuntu automatically has no password for the ROOT user due to the standard security configuration.
- If you do not do this first, you will lock yourself out from accessing root privileges. This can be overcome by booting in with a Live Disk, mounting the hard drive, and editing the sudoers file, but it's best to avoid that.
- Open a terminal and enter:
sudo passwd - Set your new password for the ROOT user.
- Change the SUDO configuration to require the root password
- SUDO requires the user requesting root privileges
- Setting the "rootpw" flag instead tells SUDO to require the password for the root user.
- Open a terminal and enter:
sudo visudo - This will open the "/etc/sudoers" file
- After the other "Defaults" line, add:
Defaults rootpw - Save it (assuming you are in nano, which is the default, this is CTRL+O)
- Close the file (CTRL+X) & exit the terminal
- You're done!
Just a quick note - I also wanted to make sure that the root user couldn't be used to login from the graphical login, and so was looking into ways to excluded. Apparently, the root user is excluded by default, and cannot be used to login through the Gnome graphical login - which is a very good thing!
3A common configuration that requires the password of the target (not what we want):
Defaults targetpw
ALL ALL=(ALL) ALLThe second line would read out loud like:
"ALL users on ALL hosts can impersonate (ALL) users when executing ALL commands."
and the Defaults targetpw means that they need to know the password of the user they are impersonating to do so.
Naively changing this simple config to:
Defaults rootpwwouldn't leave any user or group with the privilege to run commands as another user.
One working possibility would be:
Defaults rootpw
myuser ALL=(ALL) ALLIn plain English, myuser now has the ability to run ALL commands as any user on ALL hosts, so long as the root password is known.
Another working possibility would be:
Defaults rootpw
%sudousers ALL=(ALL) ALLAny member of the sudousers group will have the ability to run ALL commands as any user on ALL hosts, so long as the root password is known. To allow myuser to run sudo commands, sudousers would need to be added to its secondary groups.
su
usermod -a -G sudousers myuser
exitEDIT: A clarifying example about exceptions and scope:
Defaults rootpw
myuser ALL=(ALL) ALL
%sudousers ALL=(ALL) ALL
Defaults:%sudousers !rootpwThis requires myuser to know the root password, but requires any member of the sudousers group to use their own password. Note that if myuser is a member of sudousers then this behaviour overrides rootpw for them too (last matching entry overrides previous entries).
You could just turn off sudo and use su -c.
Using
sudo su
will let you run as many commands as you want in succession.
2
